Limited Liability Partnership "FATON"
BIN 260340014002
PRIVACY POLICY
FOR PERSONAL DATA OF
COURIERS, DRIVERS AND PARTNERS
Last updated: ____________ 2026
This Privacy Policy for Personal Data of Couriers, Drivers and Partners (the "Policy") has been developed by Limited Liability Partnership "FATON" (the "Company") in accordance with the Law of the Republic of Kazakhstan dated 21 May 2013 No. 94-V "On Personal Data and Their Protection", as well as the applicable requirements of mobile application distribution platforms (App Store, Google Play).
This Policy establishes the procedures for collection, processing, storage, protection and transfer of personal data of individuals acting as Couriers (including self-employed individuals), Drivers (including self-employed individuals), as well as authorised representatives, contact persons and other individuals associated with Partners — legal entities and individual entrepreneurs. This Policy does not govern the processing of personal data of Application Users: the applicable terms are set out in a separate privacy policy for Users.
By accepting the terms of the relevant agreement with the Company (a courier services agreement, a passenger transport services agreement or a partnership agreement) and/or by registering in the Application or the Personal Account, the Courier and/or Driver and/or the Partner confirm that they have read this Policy and consent to the processing of personal data as described herein.
1. DEFINITIONS
In this Policy, the following terms have the meanings set out below:
- "Company" — Limited Liability Partnership "FATON", BIN 260340014002, registered address: Republic of Kazakhstan, Almaty, Auezov District, 87 Zhandosova Street, postal code 050043.
- "Application" — the "FATON" mobile application for mobile devices, web services and Courier/Driver/Partner personal accounts through which the Company facilitates interaction between Users, Partners, Couriers and Drivers.
- "Courier" — an individual (including a person applying the special tax regime for self-employed persons), individual entrepreneur or legal entity (acting through its employees) accessing the Application and providing delivery services for Goods and/or Consignments under a Principal Agreement with the Company.
- "Driver" — an individual (including a person applying the special tax regime for self-employed persons), individual entrepreneur or legal entity (acting through its employees) accessing the Application and providing passenger transport (ride-hailing) services using a vehicle as an independent contractor under a Principal Agreement with the Company.
- "Partner" — an individual (including a person applying the special tax regime for self-employed persons), individual entrepreneur or legal entity (acting through its employees) accessing the Application to list its goods and/or services and fulfil User Orders under a Principal Agreement with the Company.
- "Personal Data" — any information relating to a directly or indirectly identified or identifiable individual (data subject), received or processed by the Company in connection with the conclusion and performance of an agreement with a Courier, Driver or Partner.
- "Processing of Personal Data" — any action (operation) or set of actions performed with personal data, including: collection, recording, systematisation, accumulation, storage, updating (modification), retrieval, use, transfer (distribution, provision, access), anonymisation, blocking, deletion, destruction.
- "Controller" — the Company, which independently or jointly with other persons determines the purposes and means of processing of Couriers', Drivers' and Partners' personal data.
- "Data Subject" — an individual whose personal data are processed in accordance with this Policy.
2. PERSONAL DATA CONTROLLER
The controller of personal data collected and processed in accordance with this Policy is:
Limited Liability Partnership "FATON"
BIN: 260340014002
Registered address: Republic of Kazakhstan, Almaty, Auezov District, 87 Zhandosova Street, postal code 050043
Email: info@faton.kz
Phone: ________________________
For any questions regarding the processing of personal data, please contact us using the details above or submit a written request through the Personal Account on the Application.
3. SCOPE OF THIS POLICY
3.1. This Policy applies to the following data subjects:
With respect to Couriers and Drivers:
- individuals (self-employed persons) who have registered on the Application as Couriers and have entered into a services agreement with the Company;
- individual entrepreneurs providing delivery services;
- individuals (self-employed persons), individual entrepreneurs or legal entities registered on the Application as Drivers and having entered into a passenger transport services agreement with the Company;
- employees and representatives of legal entities acting as Couriers or Drivers (with respect to the personal data of their authorised individuals).
With respect to Partners:
- individuals — individual entrepreneurs who are Partners;
- authorised representatives and contact persons of legal entities that are Partners (directors, managers, operational staff identified upon registration);
- other individuals whose personal data have been provided by the Partner to the Company in connection with the conclusion and performance of the partnership agreement.
3.2. This Policy does not apply to personal data of Application Users, which are processed in accordance with a separate privacy policy for Users.
3.3. Where a Partner provides the Company with personal data of its employees, the Partner warrants that it has lawful grounds for such transfer under the legislation of the Republic of Kazakhstan and notifies the relevant individuals of the terms of this Policy.
4. PERSONAL DATA COLLECTED BY THE COMPANY
4.1. Courier and Driver Data
Depending on the Courier's or Driver's legal status (self-employed individual, individual entrepreneur or employee of a legal entity), the Company may collect the following categories of personal data:
4.1.1. Identification and registration data:
last name, first name, patronymic (if any);
individual identification number (IIN);
series, number and date of issue of identity document (identity card / passport);
date of birth; citizenship; registered address.
4.1.2. Contact data:
mobile phone number; email address
4.1.3. Financial and tax data:
bank account details (IBAN, bank name, BIC);
information on the applicable tax regime (special tax regime for self-employed persons, individual entrepreneur status, BIN if applicable);
data required for the Company to fulfil its obligations as a tax agent (where applicable);
data on income paid by the Company and tax withholdings made.
4.1.4. Vehicle and permit data:
driving licence series and number, category, date of issue and expiry date;
vehicle registration number;
vehicle make, model, year of manufacture and colour;
information on the vehicle owner's civil liability insurance;
work permit and residence permit data (for foreign nationals).
4.1.5. Medical data (applicable to Couriers):
information on mandatory medical examinations under the legislation of the Republic of Kazakhstan (availability of medical certificates);
name of the medical institution and date of examination.
Note: Medical data are processed to the minimum extent necessary solely to comply with the legal requirements on admission of Couriers to the provision of Services.
4.1.6. Operational and transactional data (for Couriers and Drivers):
data on accepted and declined orders;
for Couriers — history of completed delivery assignments: date, time, delivery route, status; for Drivers — trip history: date, time, trip route, fare zone, distance, travel time;
amounts of accrued and paid remuneration; data on deductions and withholdings from remuneration;
data on completion certificates (acts of services rendered) signed by the Courier or Driver;
User ratings and reviews of the Courier or Driver (aggregated).
4.1.7. Geolocation data:
data on the Courier's or Driver's current location in real time during an active session (while online on the Application);
routes taken during the performance of orders and trips;
geolocation history for the period of order performance and trips.
Geolocation data are collected only during the Courier's or Driver's active session on the Application. Background geolocation collection (when the Application is minimised) occurs exclusively during an active accepted order — for Couriers: for delivery tracking by the User; for Drivers: for trip route tracking by the User.
4.1.8. Technical data:
device IP address; type and model of mobile device; operating system version; Application version; unique device identifiers;
Application activity logs (login time, accepted assignments, technical errors).
4.1.9. Cash transaction data (applicable to Couriers):
information on cash amounts received from Users;
data on cash deposits to the Company's account; history of cash transactions through the Application.
4.1.10. Company equipment data (applicable to Couriers):
information on the deposit for the thermal bag and other equipment provided by the Company;
equipment status (issued, returned, lost).
4.2. Partner Data
With respect to Partners that are legal entities, the Company processes personal data of individuals acting on behalf of or in the interests of the Partner:
4.2.1. Data of authorised representatives and contact persons:
last name, first name, patronymic (if any); job title and role within the organisation; mobile phone number; email address.
4.2.2. Data of individual entrepreneurs who are Partners:
last name, first name, patronymic (if any); IIN; identity document details; registered address; mobile phone number; email address; bank account details for settlements.
4.2.3. Operational Partner data:
history of orders processed through the Application; settlement data; User ratings and reviews (aggregated); Personal Account login data; data on the Partner's menu content.
4.2.4. Technical data:
IP address; browser/application type and version; operating system version; Personal Account activity logs.
4.3. Sources of Personal Data
The Company obtains personal data from the following sources:
directly from the Courier, Driver or Partner — upon completion of the registration form, upon conclusion of the agreement and upon updates made in the Personal Account;
automatically — during use of the Application and Application (geolocation, technical logs, activity data);
from third parties — payment organisations, tax authorities and state information systems (to the extent provided by law);
from publicly available sources — state registers (to the extent necessary to verify individual entrepreneur / self-employed status).
5. PURPOSES AND LEGAL BASES FOR PROCESSING PERSONAL DATA
5.1. The Company processes personal data solely for specific, predetermined and lawful purposes. Processing for purposes incompatible with those stated is not carried out.
5.2. The legal bases for processing personal data are:
- consent of the data subject;
- necessity to perform a contract to which the data subject is a party (including a contract of carriage for Drivers), or to take steps at the data subject's request prior to entering into a contract;
- fulfilment of obligations imposed by the legislation of the Republic of Kazakhstan (in particular, tax agent obligations and admission-to-activity requirements);
- legitimate interests of the Company (ensuring Application security, fraud prevention, service quality improvement) — provided that such processing does not override the rights and interests of data subjects.
5.3. Table of processing purposes and legal bases:
| Purpose of Processing | Categories of Data | Legal Basis |
|---|---|---|
| Identification of the Courier, Driver / Partner; conclusion and performance of the agreement | Full name, IIN, identity document, contact data, bank details | Performance of contract; consent |
| Admission of the Courier to the provision of Services (verification of documents, permits and medical examinations) | Driving licence, vehicle data, medical certificates, work permit (for foreign nationals) | Compliance with legal requirements; performance of contract |
| Admission of the Driver to the provision of transport services (verification of driving licence, vehicle data, insurance, permits) | Driving licence (category, expiry), vehicle data (make, model, colour, registration number), insurance policy, work permit (for foreign nationals) | Compliance with passenger transport legislation; performance of contract |
| Organisation and monitoring of courier services | Geolocation, operational data (orders, delivery routes, statuses) | Performance of contract; consent |
| Organisation and monitoring of Driver passenger transport services | Real-time geolocation, trip data (route, distance, time), vehicle data | Performance of contract; consent |
| Calculation and payment of Courier / Driver remuneration | Bank details, data on completed assignments/trips, completion certificates | Performance of contract |
| Performance of tax agent obligations | IIN, tax status information, payment amounts | Compliance with tax legislation of the Republic of Kazakhstan |
| Provision of access to the Partner's Personal Account and menu management | Authorised representative data, technical data | Performance of contract; consent |
| Settlements with the Partner (commissions, payments) | Individual entrepreneur–Partner data, bank details, operational data | Performance of contract |
| Application security and fraud prevention | Technical data, activity data, geolocation | Legitimate interest of the Company |
| Service quality control (ratings, reviews, compliance checks) | Operational data, aggregated ratings of Couriers/Drivers/Partners | Performance of contract; legitimate interest |
| Enabling communication between Courier/Driver, Partner and User | Phone number (via masking), order/trip data | Performance of contract; consent |
| Dispute resolution and complaint handling | Operational data, correspondence, order/trip data | Performance of contract; legitimate interest; legal obligation |
| Sending notifications on changes to agreement terms and the Policy | Contact data (phone, email) | Performance of contract; legitimate interest |
| Improving Application functionality and analysing usage | Technical data, operational data (anonymised or aggregated) | Legitimate interest; consent |
| Record-keeping for accounting and tax reporting | Full name, IIN, financial and contractual data | Compliance with legislation of the Republic of Kazakhstan |
6. TRANSFER OF PERSONAL DATA TO THIRD PARTIES
6.1. The Company does not transfer Couriers', Drivers' and Partners' personal data to third parties except as expressly provided by this Policy or the legislation of the Republic of Kazakhstan.
6.2. Transfers are made exclusively to the extent necessary to achieve the relevant purpose.
6.3. Application Users
For the purpose of fulfilling an Order or trip, the following Courier or Driver data may be made available to the User:
Courier's or Driver's first name; profile photo (if available); aggregated rating;
vehicle make, model, colour and registration number;
Courier's or Driver's current real-time location (for delivery or trip tracking);
phone number — via a secure number-masking system (direct exchange of phone numbers between the Courier/Driver and the User does not occur unless technically required).
For the purpose of fulfilling an Order, the following Partner data may be displayed to the User: trading name, operating hours, operational contact phone number.
6.4. Payment Organisations
To arrange payment of Courier or Driver remuneration or settlements with the Partner, the following data may be transferred: full name and IIN (for payee identification); bank account details (IBAN); payment amounts.
The Company is not liable for the actions of payment organisations in processing the transferred data.
6.5. Tax Authorities and Government Bodies
In fulfilment of its tax agent obligations, the Company submits the following data to the competent authorities of the Republic of Kazakhstan: Courier's or Driver's full name and IIN; information on income paid and taxes withheld.
Other transfers of data to government bodies are made in cases expressly provided by the legislation of the Republic of Kazakhstan.
6.6. Technical Infrastructure and Cloud Service Providers
To ensure Application operation, hosting providers and cloud service providers may have access to data. The Company enters into data processing agreements with such providers requiring them to maintain confidentiality and apply appropriate security measures.
6.7. Analytics and Technical Services
Third-party technical and analytics services may be used to ensure Application operability, monitor errors and improve the user experience. Data transfers to such services are made in anonymised or aggregated form, or to the minimum extent necessary for technical operation.
6.8. Other Couriers, Drivers and Partners
Personal data of one Courier, Driver or Partner are not transferred to other Couriers, Drivers or Partners, except where necessary to organise a specific delivery or trip (for example, the Partner providing the Courier with a confirmation code upon order pick-up).
7. COURIER AND DRIVER GEOLOCATION DATA: SPECIAL PROVISIONS
7.1. The Company attaches particular importance to transparency in the processing of Couriers' and Drivers' geolocation data, as the most sensitive category of data collected in real time.
7.2. Courier and Driver geolocation data are collected:
during an active session on the Application (status "online") — to display the Courier or Driver as available for order assignment;
during the performance of an accepted order — for Couriers: to display delivery status and route to the User in real time; for Drivers: to display the vehicle location and trip route to the User; in both cases — for routing, quality control and dispute resolution;
to create a route history for dispute resolution, remuneration calculation and quality control.
7.3. Geolocation data are NOT collected: when the Courier or Driver is in offline mode (has not activated a session on the Application); in continuous background mode outside of active sessions.
7.4. The Courier and Driver consent to the collection of geolocation data to the described extent upon accepting the terms of the agreement and this Policy. The Courier and Driver may stop geolocation data collection at any time by ending the session on the Application (switching to offline mode) or by revoking the geolocation permission in the mobile device settings. Revoking the geolocation permission makes it impossible to fulfil orders or trips through the Application.
7.5. The Courier's or Driver's geolocation data are shared with the User solely in the context of a specific order or trip and only during its performance.
8. PERSONAL DATA RETENTION PERIODS
8.1. Personal data are retained no longer than is necessary to achieve the purposes of their processing, taking into account the requirements of the legislation of the Republic of Kazakhstan.
8.2. The following indicative retention periods apply:
| Category of Data | Retention Period |
|---|---|
| Identification and registration data (full name, IIN, documents) | For the duration of the agreement + 5 years after termination |
| Financial data (payments, withholdings, account details) | For the duration of the agreement + 5 years (tax legislation of the Republic of Kazakhstan) |
| Operational data (order/trip history, completion certificates) | 3 years after termination of the agreement |
| Geolocation data (delivery and trip route history) | 1 year from the date of delivery or trip |
| Technical data (logs, activity records) | 1 year from the date the record was created |
| Data of authorised representatives of the Partner | For the duration of the agreement with the Partner + 3 years |
| Medical data — medical examination certificates (applicable to Couriers) | Until expiry of the certificate + 1 year |
| Vehicle and document data of the Courier or Driver | For the duration of the agreement + 1 year |
8.3. Upon expiry of the retention periods, personal data shall be deleted or anonymised, unless their further retention is required by applicable law.
8.4. Data required to comply with court orders or orders of government authorities shall be retained until the relevant requirements have been fulfilled.
9. PERSONAL DATA SECURITY
9.1. The Company applies a set of technical and organisational measures to protect Couriers', Drivers' and Partners' personal data from unauthorised access, alteration, disclosure, destruction or loss.
9.2. Measures applied include:
- encryption of data in transit (TLS/HTTPS);
- storage of data on secure servers with restricted access, located in the Republic of Kazakhstan;
- differentiation of access rights to personal data among Company employees (least-privilege principle);
- periodic security audits of information systems;
- mandatory confidentiality obligations for Company employees who have access to personal data;
- intrusion detection and monitoring systems; data backup.
9.3. In the event of a security breach, the Company undertakes to: take immediate steps to remediate the breach; notify data subjects and the competent personal data protection authority in the manner and within the time limits provided by the legislation of the Republic of Kazakhstan.
10. CROSS-BORDER TRANSFER OF PERSONAL DATA
10.1. As a general rule, the Company does not transfer Couriers', Drivers' and Partners' personal data across borders.
10.2. All collection, storage and primary processing of personal data is carried out within the Republic of Kazakhstan.
10.3. Should a transfer of personal data outside the Republic of Kazakhstan become necessary, such transfer shall be made in compliance with the requirements of the legislation of the Republic of Kazakhstan on personal data protection.
10.4. The Company is not liable for cross-border transfers of personal data made independently by third parties (payment organisations, technical providers) outside the Company's control.
11. RIGHTS OF DATA SUBJECTS
11.1. In accordance with the legislation of the Republic of Kazakhstan, a Courier or Driver and Partner have the right to:
11.1.1. Right to Information
Receive information on the processing of their personal data, including: the list of data being processed; the purposes and legal bases of processing; details of third parties to whom data have been transferred; data retention periods.
11.1.2. Right of Access
Obtain access to their personal data processed by the Company, including through the Personal Account on the Application.
11.1.3. Right to Rectification
Request the correction of inaccurate, incomplete or outdated personal data. Some data may be updated independently in the Personal Account.
11.1.4. Right to Erasure (Blocking)
Important: Deletion of personal data prior to the expiry of established retention periods is not possible with respect to data that must be retained under applicable law.
11.1.5. Right to Withdraw Consent
A Courier, Partner or Driver may withdraw consent to the processing of personal data based on consent. Withdrawal does not affect the lawfulness of prior processing. Withdrawal renders further provision of Services impossible and constitutes grounds for termination of the agreement.
11.1.6. Right to Object
Object to the processing of personal data carried out on the basis of the Company's legitimate interest, where the data subject considers that such processing infringes their rights.
11.2. To exercise the rights listed above, the Courier, Driver or Partner must submit a request: through the Personal Account on the Application; by email: info@faton.kz; or in writing to the Company's registered address.
11.3. The Company reviews data subject requests within 15 business days of receipt and provides a reasoned response.
12. OBLIGATIONS OF COURIERS, DRIVERS AND PARTNERS IN PROCESSING THIRD-PARTY DATA
12.1. In the course of providing Services, the Courier and Driver gain access to personal data of Application Users (name, phone number, delivery address and other data required to fulfil the order). The
Courier and Driver act as data processors on behalf of the Company and must:
- use Users' personal data solely to fulfil the specific order or trip;
- not disclose Users' data to third parties;
- not store Users' data on their own devices outside the Application;
- immediately notify the Company (within no more than 24 hours) of any actual or suspected unauthorised access to Users' data;
- upon completion of the order or trip, not use the Users' data obtained for any other purpose.
12.2. A Partner that receives Users' personal data in the course of fulfilling orders must: use Users' personal data solely to prepare and hand over the Order; not use the data for marketing purposes without a separate consent from the User; not transfer the data to third parties; ensure the protection of data received and delete them upon completion of order fulfilment.
12.3. A breach of the above obligations by a Courier, Driver or Partner constitutes grounds for liability under the agreement and the legislation of the Republic of Kazakhstan, and may result in immediate suspension of access to the Application and termination of the agreement.
13. AUTOMATED DECISION-MAKING
13.1. The Company may use automated systems for:
assigning orders and trips among available Couriers and Drivers (dispatch algorithm);
calculating Courier and Driver remuneration under dynamic pricing;
generating Courier, Driver and Partner ratings based on order performance and trip data;
detecting suspicious usage patterns on the Application (anti-fraud).
13.2. The Company undertakes to ensure that decisions produced by automated systems that materially affect the rights of Couriers, Drivers and Partners (in particular, decisions on remuneration withholding or access suspension) may be challenged by contacting the Company's support service.
14. DATA OF MINORS
14.1. The Company does not engage persons under the age of 18 to provide Services and does not enter into agreements with them.
14.2. The Company does not knowingly collect personal data of minors. If it becomes aware that a minor has provided their data, the Company will immediately block the relevant Account and delete the personal data.
15. CHANGES TO THIS POLICY
15.1. The Company reserves the right to amend this Policy at any time without prior notice to data subjects, except where such notice is required by law.
15.2. The current version of the Policy is available in the Application, the Personal Account and on the Company's official website.
15.3. Material changes that affect data subjects' rights will be communicated to Couriers, Drivers and Partners through the Application (notification in the Personal Account, push notification and/or email) at least 7 (seven) days before they take effect.
15.4. Continued use of the Application after changes take effect constitutes acceptance of the updated Policy. If a Courier, Driver or Partner disagrees with the changes, they may stop using the Application and terminate the agreement with the Company by providing the relevant notice.
16. GOVERNING LAW
16.1. This Policy has been developed and is applied in accordance with the legislation of the Republic of Kazakhstan, including: Law of the Republic of Kazakhstan dated 21 May 2013 No. 94-V "On Personal Data and Their Protection"; Tax Code of the Republic of Kazakhstan (with respect to tax agent obligations); other applicable regulatory legal acts of the Republic of Kazakhstan.
16.2. Any disputes related to the application of this Policy shall be resolved in the manner established by the agreement between the Company and the Courier / Driver / Partner.
17. CONTACT INFORMATION
For any questions regarding the processing of personal data under this Policy and to exercise data subject rights, please contact:
Limited Liability Partnership "FATON"
Registered address: Republic of Kazakhstan, Almaty, Auezov District, 87 Zhandosova Street, postal code 050043
Email: info@faton.kz
Phone: ________________________
Application Personal Account: "Support" / "Personal Data" section
_________________________________________
Limited Liability Partnership "FATON"
BIN 260340014002