GENERAL PERSONAL DATA PROCESSING POLICY

1.1.

1.2. Scope of Application (what the Policy regulates):

1.3. What the Policy does not regulate (exclusions):

• the processing of personal data of respondents (participants in surveys/research/activities) – a special document, the 'Policy on the Processing of Personal Data of Respondents,' applies;
• the processing of personal data of employees (Company staff) and candidates – the Company's personnel/HR policies and local acts apply;
• the processing of Cookie files – a special document, the 'Cookie Policy,' published on the Website, applies;
• the processing of personal data on behalf of the Company's partners (see Section 11 for details) – a special Data Processing Agreement (DPA) applies, or in its absence, the Standard DPA published on the Website.

Definitions

• 2.1. Company – Pwron LLP (BIN 241040012133), which is the owner and administrator of the Platform, as well as the personal data operator within the meaning of the legislation of the Republic of Kazakhstan.
• 2.2. Platform — a set of websites, mobile applications, chatbots, API interfaces, electronic forms, software modules, and other digital services administered by the Company under the gro.now brand or other related brands, which provide for the collection, storage, use, and other operations with personal data, user interaction, registration, participation in surveys, events, and programs, as well as the provision of the Company's services.
• 2.3. Website - the Company's main internet resource, located at https://gro.now/, as well as other domains/subdomains that provide access to the Platform's services.
• 2.4. User – any natural person using the Platform, including visitors to the Website, registered and unregistered users, clients, partners, representatives of legal entities, as well as other persons interacting with the Company through the Platform's interfaces or by other means (including offline).
• 2.5. Personal Account - a personalized section of the Platform that provides the User with access to the Company's functionality, including registration, management of their data and consents, receiving notifications, participating in events, and interacting with the Company's services.
• 2.6. Account - a set of registration data and settings of the User that ensures their identification and authorization in the Company's system.
• 2.7. External Account – a User's account with a third-party authentication provider (e.g., Google), through which access to the Platform is granted (SSO) without separate registration.
• 2.8. Platform Interfaces – visual and technical means of User interaction with the Platform, including web pages, mobile applications, widgets, electronic forms, banners, chatbots, e-mail communications, and other digital channels.
• 2.9. Company Services (Services) — functional capabilities of the Platform that enable the implementation of the Company's and the User's tasks, including conducting surveys, registering for and participating in events, providing rewards, sending notifications, processing applications, conducting marketing campaigns, and other services provided by the Company using the Platform.
• 2.10. Event – a conference, seminar, webinar, presentation, promotional or other public event (online or offline), organized by the Company independently or jointly with partners, for the purposes of promotion, communication, training, or research.
• 2.11. Respondent – a natural person participating in surveys, interviews, tests, analytical studies, or other activities of the Company. The processing of respondents' personal data is regulated by a separate Policy on the Processing of Personal Data of Respondents.
• 2.12. Marketing Communications – actions by the Company aimed at informing Users about products, services, events, discounts, offers, or promotions of the Company, including mailings via email, SMS, messengers, push notifications, and other forms of communication, carried out on the basis of the User's consent or other legal grounds.
• 2.13. Inquiry (Data Subject Request) — a written or electronic application from a natural person sent to the Company regarding the processing of their personal data, including a request for access, rectification, erasure, restriction of processing, withdrawal of consent, or filing a complaint.
• 2.14. Feedback Form – an electronic form on the Website or in the Platform's interfaces used by Users to send inquiries, feedback, complaints, or applications, as well as to exercise their rights as a data subject.
• 2.15. Personal Data (PD) — any information relating to a directly or indirectly identified natural person (data subject), including information identifying their personality, contact details, data on the use of the Platform, participation in events, and other information relating to the User.
• 2.16. Processing of Personal Data – any action (operation) or set of actions (operations) performed with or without the use of automated means, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), use, transfer (provision, distribution, access), anonymization, blocking, erasure, and destruction of personal data.
• 2.17. Personal Data Operator (Operator) — the Company, which independently or jointly with other persons organizes and (or) carries out the processing of personal data, as well as determines the purposes of processing, the composition of data, and the actions (operations) performed with them.
• 2.18. Processor – a natural or legal person who processes personal data on behalf of the Company on the basis of a contract or other legal grounds, ensuring the confidentiality and security of such data.
• 2.19. Cookie files (Cookies) – small text files saved on the User's device when visiting the Website, used for the functioning of the Platform, analyzing its use, personalizing content, and marketing communications. Detailed rules for the use of cookies are described in a separate Cookie Policy.
• 2.20. Personal Data Security – the state of protection of personal data in which their confidentiality, integrity, availability, and accountability of processing are ensured using necessary organizational and technical measures.
• 2.21. Calendar Integration – a service of a third-party meeting scheduling provider (e.g., Calendly), through which a User/client schedules a consultation with the Company; information about the time slot and contact details are synchronized with the Platform.

3.1. Main Principles of Processing.

• 3.1.1. Lawfulness and Fairness – processing is carried out on legal grounds and within the stated purposes;
• 3.1.2. Purpose Limitation – the collection and use of personal data are limited to achieving specific, predetermined, and legitimate purposes;
• 3.1.3. Minimization – only data that is necessary for the specified purposes is processed;
• 3.1.4. Accuracy and Relevance — personal data is maintained in an accurate and up-to-date state, and is rectified upon the data subject's request if necessary;
• 3.1.5. Storage Limitation – data is stored for no longer than is required for the purposes of processing or to comply with legal requirements;
• 3.1.6. Confidentiality and Security – the Company ensures the protection of personal data from unlawful or accidental access, destruction, alteration, blocking, copying, distribution, and other unlawful actions;
• 3.1.7. Accountability of Processing – the Company ensures the ability to documentarily confirm the fact of obtaining consent, data sources, legal bases, periods, and results of processing.

3.2. Purposes of Personal Data Processing.

5.1. General Bases.

5.2. Linking Purposes (Sec. 3) with Legal Bases:

5.3-5.9. Legitimate Interest, Consent, and Other Aspects

• 5.3. Legitimate Interest: Balancing Test. Before processing on this basis, the Company conducts a balancing test (purpose → necessity → impact on the subject → mitigation measures). Examples of permissible cases: storing business correspondence and contact details of B2B counterparty representatives; technical logs for investigating security incidents; basic product analytics on aggregated/anonymized data; prevention of abuse (anti-spam, anti-fraud). Mitigation measures: field minimization, limited retention periods, role-based access, pseudonymization/anonymization, clear objection mechanisms (where applicable).
• 5.4. Consent of the Data Subject.
  5.4.1. Consent is used where it is explicitly required by law or the nature of the processing (marketing, certain categories, disproportionately new purposes, etc.).
  5.4.2. Consent is given specifically and informedly through the Platform's interfaces (checkbox/button/form/reply message/Personal Account) or in writing.
  5.4.3. Consent can be withdrawn at any time through available channels; after withdrawal, processing for the corresponding purpose ceases if there is no other basis.
  5.4.4. Detailed methods for obtaining/withdrawing consents and their recording are disclosed in a separate section 'Data Subject Consent' (will be provided later in the text).
• 5.5. Special Categories/Sensitive Data. The Company does not process special categories of personal data, except in cases expressly provided for by law and/or with the separate explicit consent of the data subject and sufficient protective measures.
• 5.6. Minors. If actions involving the data of a minor are required, the Company requests the consent of their legal representative or acts in another manner provided for by applicable law.
• 5.7. Combination of Bases. Several bases may apply to one purpose (e.g., performance of a contract + compliance with the law; legitimate interest + protection of rights). The Company documents the applied bases and their relationship.
• 5.8. Accountability and Record of Processing. The Company maintains up-to-date records of processing operations (registers), including purposes, categories of data and subjects, legal bases, recipients, retention periods, security measures, and cross-border transfers; upon request from authorized bodies, it provides necessary information within the limits of the law.
• 5.9. Minimization of OAuth/Scopes. When integrating SSO/calendars, the Company requests the minimum necessary permissions and does not access the content of the User's email, calendar, or contacts unless it is explicitly necessary and approved by the User through a separate action/consent.

6.1. General Principles.

6.2. Events Triggering the Start of Retention Periods (triggers):

6.3-6.7. Standard Periods and Other Provisions

7.1-7.4.

• 7.1. When Consent is Required. Consent is requested if the processing does not fall under other legal bases (Sec. 5), including for: (a) marketing communications; (b) photo/video recording at events (unless a public exception applies by law); (c) certain types of analytics/personalization not necessary for providing the service; (d) new purposes incompatible with the original ones.
• 7.2. Principles of Obtaining Consent. (a) a free, specific, informed, and unambiguous expression of will; (b) given separately from general terms and conditions; (c) formulated in simple and clear language; (d) accompanied by links to this Policy and relevant documents (Cookie Policy, event terms, etc.).
• 7.3. Methods of Providing Consent via the Platform and Offline. The Company accepts consent expressed by one of the following actions (the interfaces contain text/links to the terms and purpose of consent):
  7.3.1. Web/Mobile Interface: checking a checkbox, clicking a 'Consent/Accept/Subscribe' button, submitting a form with an explicit mark;
  7.3.2. Personal Account: enabling the corresponding toggle switch in the consent settings;
  7.3.3. Chatbot/Messengers/SMS/E-mail: sending a keyword/command specified in the consent request (e.g., 'AGREE');
  7.3.4. QR/Event Landing Page: marking consent in the registration form; visiting premises where a sign about photo/video recording is displayed at the entrance;
  7.3.5. Written/Electronically Signed Consent: using the Company's template or a form established by law.
• 7.4. Recording of Consent (Consent Log). The Company keeps a record of consents given and withdrawn, retaining at least the following attributes: date/time; channel (web/app/bot/e-mail/SMS/offline); action (checkbox/click/message/signature); user/account identifier (if any); version of documents (Policies/consents/notifications); IP/UA (for online); consent purpose tag (for which purpose). The record retention period is at least the duration of the consent + the statute of limitations.

7.5-7.13.

• 7.5. Layered Information. Before the consent action, a brief description of the purpose and key consequences is provided + a link to the full text. For events – through the registration form/participation terms; for marketing – in the subscription form.
• 7.6. Separate Settings by Channel. The User can consent/refuse separately for different types of communications (e-mail, SMS, messengers, push), by topics (product news/events/promotions), and by types of analytics/personalization if they are not necessary for the service.
• 7.7. Withdrawal of Consent and Objection to Processing. Consent can be withdrawn at any time: in the Personal Account (by disabling the corresponding toggle switch); via the 'Unsubscribe' link in messages/mailings; by a reply message in the same channel (e-mail/SMS/bot); through the feedback form on the Website; in writing to the Company's address.
• 7.8. After withdrawal, the Company ceases processing for the corresponding purpose, unless there is another basis (contract/law/protection of rights). The fact of withdrawal is recorded in the consent log. The User also has the right to object to processing based on legitimate interest; in this case, the Company will restrict processing unless it can demonstrate the priority of its legitimate interest and/or the need to protect rights.
• 7.9. Consent for Minors. If the consent of a minor is required, it is provided by a legal representative or in the manner prescribed by applicable law. The Company may request documents confirming authority.
• 7.10. Validity Period and Renewal of Consent. Consent is valid until it is withdrawn or until the purpose of processing is achieved/the terms are changed. In case of a significant change in the purpose/process of processing, the Company will re-request consent or offer to update the settings.
• 7.11. Consent Forms for Special Cases. For photo/video at non-public events, publication of reviews/case studies, transfer of contacts to partners, and for the use of data beyond the minimum necessary volume, the Company uses separate short consent forms specifying the purpose, term, and right of withdrawal.
• 7.12. Respondents – Separate Policy. Consents related to participation in research/surveys/payment of remuneration to respondents are described and recorded in the Policy on the Processing of Personal Data of Respondents; this Policy applies subsidiarily.
• 7.13. Managing External Connections. The User can disable login via an external account and/or revoke permissions granted to the provider (e.g., in Google settings). Revoking permissions with the provider stops future synchronization but does not delete data already received by the Company; to delete/disable the Account, a request should be submitted according to the procedure in Section 10. For Calendly, the User can cancel/reschedule the slot using the service's tools; data on past meetings are processed according to the rules of Section 6 (retention periods) and can be deleted upon request.

• 9.1. General Security Principles. The Company ensures the confidentiality, integrity, availability, and accountability of personal data processing, taking into account the risks, nature, scope, and context of the processing. Security measures are reviewed at least once a year and upon significant changes to the Platform.
• 9.2. Organizational Measures.
  9.2.1. distribution of roles and responsibilities (process owners, administrators, information security officers are appointed by order);
  9.2.2. access control policy (least privilege access, role-based segregation, regular review of rights);
  9.2.3. NDAs and confidentiality obligations for employees and contractors;
  9.2.4. training and knowledge testing on information security/data protection upon hiring and annually;
  9.2.5. on-boarding/off-boarding procedures: issuance/revocation of access, return of media, closure of accounts;
  9.2.6. register of processing operations, register of processors and cross-border transfers;
  9.2.7. change management and data protection impact assessment (DPIA) for new/significantly changed processes.
• 9.3. Technical Measures.
  9.3.1. Encryption: in transit – TLS for all external and internal network interactions; at rest – encryption of data and backups; key management – in a dedicated module/service, with rotation and access segregation.
  9.3.2. Authentication and Session Management: MFA for admin access, password complexity policy, limited lifetime of tokens/sessions, protection against brute-force attacks.
  9.3.3. Segmentation and Isolation: separation of environments (prod/stage/dev), network ACLs, WAF, API protection (rate-limiting, throttling, signatures/scopes).
  9.3.4. Logging and Monitoring: centralized logs (access, admin actions, configuration changes), immutable audit trails for critical operations; log retention according to the periods in Appendix No. 1; event correlation (SIEM).
  9.3.5. Anti-fraud and Abuse Protection: anomaly detection, protection against bot traffic, checks for credential leaks, CAPTCHA (only where necessary).
  9.3.6. Vulnerability Management: regular scans, bug bounty/pen-tests according to a plan, SLAs for fixing vulnerabilities based on criticality level.
  9.3.7. Backup and Recovery (BCP/DRP): regular backups, recovery tests, geo-redundancy, access control to backups.
  9.3.8. Data Protection on Endpoints (endpoint/DLP): encryption of work devices, mobile device management (MDM), prohibition of unauthorized copies of PD, control of data output.
  9.3.9. Supplier Security: technical and contractual requirements for processors (see Sec. 8), periodic compliance audits.
  9.3.10. For SSO/calendar integrations, the following are applied: short-lived tokens, limited scopes, secure storage of secrets, periodic key rotation, and logging of login/booking attempts.
• 9.4. Minimization and Pseudonymization. The Company uses the minimum necessary volume of data for each purpose. Where possible, data is pseudonymized/anonymized; access to the links between 'identifier ↔ identity' is restricted to a narrow circle of persons on a need-to-know basis.
• 9.5. Data Access and Administration. All admin actions are performed from named accounts with MFA and are logged. Privileged operations require additional confirmation and/or the 'four-eyes' principle for particularly sensitive actions (e.g., exporting large arrays of PD).
• 9.6. Storage, Media, and Destruction. Physical and virtual media containing PD are protected from unauthorized access; upon expiration of retention periods, they are destroyed/erased according to approved procedures; a separate deletion cycle applies to backups (see Sec. 6).
• 9.7. Incident Response.
  continuous monitoring of security events and feedback channels; classification of incidents and assignment of a responsible team; localization, elimination of causes, restoration of services, subsequent analysis (post-mortem); documentation and storage of investigation materials in a secure environment.
• 9.8. Notifications of Incidents and Data Breaches. Upon detection of a security breach that poses a risk to the rights and freedoms of data subjects, the Company: assesses the scale and consequences; if necessary, notifies the data subjects and (if required by law) the competent authorities within a reasonable time, providing available information about the nature of the incident, the affected data, the measures taken, and recommendations to the subjects; if necessary, provides further information as it becomes available.
• 9.9. Testing and Audit. The Company conducts regular checks on the effectiveness of protective measures (internal audits, pen-tests, log reviews), records the results, and a plan for corrective actions. Key findings are taken into account when updating this Policy and internal regulations.
• 9.10. Prohibition of Unauthorized Actions. Any exports, copying, transfer, or other actions with PD outside of registered processes and without appropriate legal grounds are prohibited and entail disciplinary and other liability under the law and contracts.

10.1. List of Rights.

10.2 - 10.5.

11. The Company's Role as a Processor for Partner Data and DPA

12. Final Provisions