Legal Documents
Privacy policy
Version v.1.0, effective September 15, 2025
1. Why this policy is needed and when it applies
1.1. Who we are.
We are gro.now, an online platform for surveys, research, tests, contests, and other activities—a Kazakhstani company LLP "Gro.now" (BIN 241040012133), operating under the brand gro.now.
Details and contacts for LLP "Gro.now": Republic of Kazakhstan, Almaty, Bostandyk district, Satpaev St., 90/54, Apt. 5, index 050000; e-mail: hi@gro.now; website: https://gro.now/ (hereinafter referred to as "We", "gro.now").
Details and contacts for LLP "Gro.now": Republic of Kazakhstan, Almaty, Bostandyk district, Satpaev St., 90/54, Apt. 5, index 050000; e-mail: hi@gro.now; website: https://gro.now/ (hereinafter referred to as "We", "gro.now").
1.2. What this document is.
This Policy explains in simple terms what data we collect on gro.now, why we need it, and how we handle it.
1.3. To whom and when it applies.
This Policy applies to all Respondents (you)—individuals who participate in our activities: surveys, research, tests, contests, and prize draws. It is effective during participation in activities, registration and logging into an account, accrual and use of rewards/points, our notifications about participation progress, as well as when contacting support and resolving disputes.
1.4. Through which channels we receive data.
We may receive data through the website and web forms, chatbots and messengers, e-mail newsletters, QR mechanics, and other connected channels. If an activity is conducted with a partner, it will be explicitly stated in its rules.
1.5. How this Policy relates to other gro.now documents.
This Policy works in conjunction with:
- The User Agreement;
- The Cookie Policy;
- separate consents for data processing.
If documents conflict regarding the processing of your data, a simple principle applies:
- special consents and the rules of a specific activity take precedence;
- then this Policy;
- for all other matters of service use, the User Agreement applies.
1.6. Where and for whom this Policy applies.
This Policy applies to Respondents regardless of their citizenship and location, within the framework of applicable laws. Specifics of transferring data abroad are described in Section 7, and rules for the participation of minors are in Section 6.
1.7. What is not covered here.
This Policy does not cover the data processing of employees, candidates, contractors, and B2B counterparties of gro.now—there are separate documents for them.
1.8. Current version.
We publish the current version of the Policy in the gro.now interfaces and on the website https://gro.now/. How we make changes and notify you is described in Section 12.
2. Terms and roles (who is who and what is what)
2.1. To avoid confusion, below we briefly explain the key terms found in the Policy and activity rules:
- Respondent — you, the individual participating in activities on gro.now.
- Activity – any participation scenario on the gro.now platform (survey, research, test, contest, prize draw, game, referral mechanic, etc.) that includes a description of conditions, deadlines, and, if applicable, reward rules. Activities may be online or include offline steps (e.g., a visit to a point of sale) if specified in the rules.
- Platform (gro.now) – our website, personal account, chatbots, forms, e-mail newsletters, and other technical tools through which you participate in activities.
- Account - your user account on gro.now. Through it, we know it's you and can credit rewards/points, send status updates, and assist with support.
- Reward – what you can receive for participation: money, certificates, gifts, mobile top-ups, discount codes, etc. The specific type is indicated in the activity rules. Cash payments may require your identification and accounting for legal purposes.
- Points - an internal accounting unit on gro.now. They are not money. The rules for their accrual, expiration, and exchange (if provided) are specified in the User Agreement.
- Verification — a request for additional data/documents from you (e.g., IIN, photo ID) if needed for payments, security, or by law. We only request what is genuinely necessary.
2.2. Data and technologies (what we are talking about)
- Personal Data (PD) — any information about you as a person that allows for your identification (e.g., email address, survey answers linked to your account, payment details, etc.).
- Anonymized Data – data from which identifiers have been removed (it's impossible to tell that it's you).
- Aggregated Data — summary statistics about groups of users (e.g., "70% of participants chose option A").
- Cookies and SDKs – small files and software modules that help the platform work more stably, faster, and more conveniently. More details are in the Cookie Policy.
2.3. Roles in data processing (who is responsible for what)
- Data Controller — the organization that decides "why" and "how" your personal data is processed. By default, the controller for the Platform's operation is LLP "Gro.now" (gro.now).
- Partner - the company that commissions a study or conducts an activity jointly with us (sometimes called the "Client" or "Sponsor").
- Activity Organizer – the one responsible for a specific activity. This can be us (gro.now) or a Partner (client/research commissioner). The organizer is always specified in the activity card or rules.
- If the organizer is gro.now, we act as the data controller for that activity.
- If the organizer is a Partner, the Partner may have its own role as a controller—in that case, gro.now processes data on the Partner's instructions as a processor. This is explicitly stated in the activity rules.
- Processor - a company that processes data on behalf of the controller (e.g., gro.now for a Partner, cloud hosting, newsletter service, anti-fraud service).
- Sub-processor – a processor's assistant (e.g., data center, email service). We engage them only when necessary and with protection for your data.
- Payment Partner – a bank, payment provider/aggregator, mobile operator, etc., through which payments or rewards are issued.
- Tax Agent – who by law withholds and/or reports taxes on cash payments (sometimes it's us, sometimes a payment partner; details are in the activity rules).
3. Who processes your data and what law applies
3.1. Who is responsible for your data
By default, the controller (the one who decides "why" and "how" data is processed) is LLP "Gro.now", operating under the gro.now brand. Our details and contact information are provided in Section 1. We also display these details in our interfaces and activity cards.
3.2. When the Partner is the controller
Sometimes a specific activity is conducted by our Partner (the research client), and gro.now acts as the platform and technical contractor. In such cases:
- The Partner is the controller of your data for that activity;
- gro.now is the processor and operates strictly according to the Partner's instructions;
In the activity card/rules, we explicitly state who the controller is and how to contact them.
3.3. Our assistants (processors and sub-processors)
For the service to work, we engage trusted providers: hosting/data centers, email and push notification services, payment partners, anti-fraud tools, etc.
We only transfer the amount of data necessary for their task and enter into data protection agreements with them.
We maintain an up-to-date list of categories of such companies and their functions in the "Sub-processors" Appendix and update it as changes occur.
We only transfer the amount of data necessary for their task and enter into data protection agreements with them.
We maintain an up-to-date list of categories of such companies and their functions in the "Sub-processors" Appendix and update it as changes occur.
3.4. Where these rules apply (applicable law)
The primary law for this Policy is the legislation of the Republic of Kazakhstan.
If the laws of your country of residence establish mandatory additional requirements (e.g., for consent, response times to requests, or cross-border transfers), we comply with them to the extent applicable to your situation.
Disputes and jurisdiction are governed by the User Agreement.
If the laws of your country of residence establish mandatory additional requirements (e.g., for consent, response times to requests, or cross-border transfers), we comply with them to the extent applicable to your situation.
Disputes and jurisdiction are governed by the User Agreement.
3.5. Language of the document
This Policy is prepared in Russian. If you are reading a translation, the Russian version has priority in case of discrepancies (unless otherwise specified in the rules of a specific activity).
3.6. How to contact us about data matters
Write to hi@gro.now. We may ask you to confirm your identity (e.g., via a code to your account or a document) to protect your data. We respond as quickly as possible and within the deadlines set by law.
4. Legal basis and consent mechanics
4.1. On what basis we process data.
We process data on one or more of the following grounds:
- performance of the User Agreement/activity rules;
- your consent;
- compliance with legal requirements (accounting, taxes, AML at payment partners);
- our legitimate interest (ensuring security, anti-fraud, protecting the rights and the service) - within the limits permitted by applicable law.
4.2. When explicit consent is required.
Explicit consent is recorded for:
- marketing communications;
- non-essential cookies/SDKs;
- processing of special categories of data (if requested);
- cases directly specified in the activity interface.
In all other permissible cases, the Respondent's participation and actions are considered as providing the Consent necessary for conducting the activity and providing the service.
4.3. How we obtain consent.
Consent is considered given, in particular, upon performing one of the following actions (depending on the channel):
- Web/application: checking a checkbox/toggle or clicking "Agree/Accept/Participate/Continue"; submitting a form/questionnaire; authorization/registration; continuing to use after displaying a notification with a link to the Policy and a clear phrase about consent.
- Messengers/bots: clicking "Start/Accept/Participate/Rate/Leave feedback"; sending the first message/reply after a bot message containing a link to the Policy and a brief consent formula; selecting a button within a scenario.
- QR/email/other channels: scanning a QR code and sending the first reply/form; following a personal link and submitting replies; confirming via a code in an e-mail/SMS.
4.4. Logging of consents.
We record: date/time, channel, account/device identifier, IP/agent, method of expressing consent (click/checkbox/message/form submission, etc.). These records are stored for the period necessary to protect rights and provide evidence.
4.5. Form of confirmation.
Upon request from the Respondent or authorized bodies, we provide confirmation of the fact of consent, including the recorded method and moment of its expression, within a reasonable time.
4.6. Minimizing bureaucracy.
We use short notifications and "one-click" actions where permissible and do not require separate paper consents if the law does not provide for it and/or a recorded electronic expression in the interface/bot is sufficient.
5. What data we process and why
5.1. General principle.
We only process the data necessary for the operation of gro.now and a specific activity. By "processing," we mean the entire cycle: collection, recording, storage, use, analysis, transfer as necessary, anonymization, deletion.
5.2. What operations we perform with data:
- collection (obtaining and systematizing);
- storage;
- alteration/amendment (updating, correction);
- use (application for participation/payments/support);
- dissemination (provision to a limited circle of recipients – partners/payment providers/contractors – only when necessary and on the basis of a contract/law);
- anonymization (removal of identifiers for analytics);
- blocking (temporary suspension of operations, e.g., during a dispute/incident check);
- destruction (irreversible deletion after expiration of terms or by legal requirements).
5.3. Account and identification data.
What: e-mail (if provided), name/nickname (if provided), phone (if necessary), account ID/UID.
Purposes: registration and login; linking participation to an account; transactional notifications; verification when necessary.
Basis: your consent; performance of the User Agreement/activity rules; legitimate interest of gro.now (security and protection against abuse - within the limits of applicable law).
Source: you via the website/bot/form; confirmation via e-mail/SMS.
Operations: collection; storage; use; alteration/amendment; transfer to a limited number of contractors for authentication and messaging; blocking during checks; destruction by deadlines.
Retention period: as long as the account is active + up to 12 months after account deletion. Then destruction.
6. Minors (how we handle data of children and teenagers)
6.1. Who is considered a minor
In this Policy, minors are individuals under the age of 18. For their participation, a special procedure and consent from a legal representative (parent/guardian) are required, unless the rules of a specific activity require a higher age.
7. Data transfer and disclosure (to whom and when we transfer data)
7.1. Basic principles
- We only transfer what is essential for the service or a specific activity to function.
- By default, the partner-organizer receives anonymized/aggregated statistics. Personal data is transferred only if it is explicitly stated in the activity rules and on a legal basis (usually by contract/your consent).
- We enter into data protection agreements with all contractors and verify their security measures.
8. Cross-border data transfer
8.1. Why transfer abroad may be necessary
Sometimes, for the operation of gro.now and specific activities, we need to use infrastructure and services located outside the Republic of Kazakhstan (e.g., using resources of a foreign neural network; cloud hosting/backup copies, e-mail/SMS distribution, performance monitoring, anti-fraud, payments through international partners).
9. Cookies and SDKs
9.1. What they are
Cookies – small files that your browser saves on your device so that the site works correctly and remembers your settings.
SDKs – built-in modules in applications/bots/widgets that help deliver notifications, collect technical metrics, find errors, etc.
We also use localStorage/SessionStorage (browser storage) — which is similar to cookies in function.
SDKs – built-in modules in applications/bots/widgets that help deliver notifications, collect technical metrics, find errors, etc.
We also use localStorage/SessionStorage (browser storage) — which is similar to cookies in function.
10. Data security
10.1. Our approach to data protection.
We protect your data by combining organizational and technical measures, principles of "data minimization" and "privacy by default." We use trusted contractors and regularly review our measures.
11. Respondent's rights and handling requests
11.1. Your rights
You can contact us at any time regarding data that pertains to you:
- Access and copy. To find out if we process your data, get a list of it, and a copy in an intelligible form.
- Correction. To ask to correct inaccurate or incomplete data.
- Deletion. To ask to delete data if it is no longer needed for the purposes of processing, you have withdrawn consent, you object to processing on the basis of "legitimate interest," or the processing was unlawful.
- Restriction. To temporarily "freeze" some operations (except storage), for example, while we verify the accuracy of the data or the lawfulness of the processing.
- Objection. To object to processing based on "legitimate interest" (e.g., certain analytics/anti-fraud metrics, if applicable to your case).
- Portability. To receive the data you provided to us in a machine-readable format and/or transfer it to another controller—if it is technically feasible and does not violate the rights of others.
- Withdrawal of consent. To withdraw consent at any time (e.g., for marketing communications or non-essential cookies/SDKs). The withdrawal is effective for the future.
- Communication settings. To unsubscribe from marketing messages (via a link in the email/in your account), leaving only transactional notifications.
- Complaint. To file a complaint with us and/or the authorized body for the protection of personal data, as well as in court.
12. Communications and notifications
12.1. Types of messages
- Transactional – the service won't work without them: login/confirmation codes, participation and accrual/payment statuses, important security messages, critical changes to terms, system notifications about technical work. Basis: performance of the user agreement.
- Operational service-related — useful reminders related to an activity (e.g., "you haven't finished the survey") and messages about available account functions. Basis: performance of the user agreement.
- Marketing — news about activities, programs, referral mechanics. We send them only with your consent (opt-in) and with the option to unsubscribe instantly.
13. Changes to the Policy
13.1. Why and when we update
We review the Policy if there are changes in: the law, how the service works, the technologies used (e.g., new SDKs), the list of data recipients, or storage periods. Also, based on the results of security audits and user feedback.
14. Date and entry into force.
Policy Version: v1.0 of September 15, 2025. The Policy is effective from the moment of publication, unless otherwise specified.