Privacy Policy
Effective date: 1 March 2026 · Last updated: March 2026
Obsidian Arrow LLP · Republic of Kazakhstan
1. Introduction and Data Controller
This Privacy Policy (the "Policy") describes how Obsidian Arrow LLP (the "Controller", "we", "us") collects, processes, stores, and protects the personal data of users of the Amanah AI platform (the "Service").
The Policy is developed in accordance with the Law of the Republic of Kazakhstan dated 21 May 2013 No. 94-V "On Personal Data and Their Protection" and other applicable regulations.
By using the Service, you consent to the processing of your personal data as described in this Policy. If you do not agree with this Policy, please do not use the Service.
2. Data We Collect
Depending on how you interact with the Service, we may collect the following categories of data:
- First and last name
- Email address
- Phone number (if provided)
- Job title (optional)
- Hashed password
- Organisation name
- Business registration number (if applicable)
- Industry / sector
- Business model description
- Document and website links
- Scoring questionnaire responses
- Financial parameters (optional)
- Uploaded documents
- Assessment results and reports
- IP address
- Browser type and OS
- Browser language
- Date and time of visit
- Pages visited and actions taken
- Referral source
We do not collect special categories of personal data (racial or ethnic origin, religious beliefs, biometric data, health data) without explicit consent.
Business model data is submitted voluntarily by the user and is required to provide the analytical services. Failure to provide mandatory fields may prevent access to certain features of the Service.
3. Purposes of Data Processing
| Purpose | Description |
|---|---|
| Service delivery | Creating and managing accounts, processing applications, generating analytical reports, providing access to the dashboard |
| Identification and authentication | Verifying user identity at login, maintaining account security |
| Communications | Sending reports, application status notifications, and responses to support requests |
| Service improvement | Analysing aggregated usage data to develop new features and improve analytical quality |
| Payment processing | Confirming and recording payments via third-party payment gateways |
| Security | Detecting fraud, abuse, cyberattacks, and unauthorised access |
| Legal compliance | Fulfilling obligations under Kazakhstan law and responding to lawful requests from government authorities |
| Marketing communications | Informing about service updates and new plans — only with explicit consent; unsubscribe at any time |
We do not use personal data for automated decision-making that materially affects users' rights without human involvement.
4. Legal Bases for Processing
Personal data is processed on the following legal grounds:
- Performance of a contract: processing is necessary to provide the services ordered by the user (analytical reports, platform access);
- Consent: for marketing communications and the submission of optional data;
- Legitimate interest: ensuring platform security, preventing fraud, improving the service based on aggregated analytics;
- Legal obligation: responding to lawful requests from authorised government authorities in Kazakhstan.
5. Storage and Retention
5.1. General Principle
Personal data is retained no longer than necessary for the purposes stated in this Policy, or for the period required by applicable law.
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data | Until account deletion + 3 years | Contract performance, legitimate interest |
| Analytical reports | 3 years from creation | Contract performance |
| Payment records | 5 years | Kazakhstan tax law |
| Technical logs | 12 months | Security, technical purposes |
| Support email correspondence | 3 years | Contract performance, legitimate interest |
| Marketing consent data | Until consent is withdrawn | User consent |
Upon expiry of the retention period, data is permanently deleted or anonymised, unless otherwise required by law.
6. Data Security
The Controller takes reasonable technical and organisational measures to protect personal data against unauthorised access, loss, modification, or disclosure, including:
- data transmission over encrypted HTTPS/TLS channels;
- storage of passwords as irreversible cryptographic hashes (bcrypt / SHA-256);
- database access restricted on a least-privilege basis;
- regular data backups;
- monitoring for suspicious activity and unauthorised access attempts.
7. Third-Party Disclosures
We do not sell, exchange, or transfer users' personal data to third parties for commercial purposes.
Limited data transfers may occur in the following cases:
| Recipient | Data | Purpose |
|---|---|---|
| Hosting provider | All platform data | Storage and processing on servers required to operate the service |
| Payment gateway | Email, amount, order ID | Processing payments; card data is not stored by the Controller |
| Transactional email service | Email, name | Sending notifications and reports |
| Analytics services | Aggregated / anonymised data | Service usage statistics; no personal data transferred |
| Government authorities | Upon lawful request | Compliance with Kazakhstan law obligations |
| Independent Scholar (Investor Pack / on request) | Anonymised business data | Methodological review of the report; personal data not shared without consent |
All third parties receiving data are required to maintain confidentiality and not use data for purposes other than those stated.
8. Cross-Border Data Transfers
To operate the platform, data may be processed on servers located outside the Republic of Kazakhstan. In such cases, the Controller:
- ensures that the recipient country provides an adequate level of data protection; or
- enters into appropriate data protection agreements with the recipient; or
- relies on other legal mechanisms permitted under Kazakhstan law.
Transfers to countries with an inadequate level of data protection are carried out only with explicit user consent or when required by a legal obligation.
9. Cookies and Analytics
9.1. What Are Cookies
Cookies are small text files stored by the browser to enable the website to function and to remember user preferences.
9.2. Types of Cookies We Use
| Type | Purpose | Required |
|---|---|---|
| Essential | Enabling session management, authentication, and security | Yes |
| Functional | Remembering language settings and user preferences | No |
| Analytical | Collecting aggregated visit statistics (without personal identification) | No |
Users can manage cookie settings in their browser. Disabling non-essential cookies does not prevent use of the core features of the Service.
10. Payment Data
The Controller does not store bank card numbers, payment account details, or other financial credentials of users. All transactions are processed through certified third-party payment gateways compliant with PCI DSS standards.
The Controller stores only:
- transaction identifier (to link payment to an account);
- payment status (paid / processing / refunded);
- amount and date of payment;
- payer's email address.
11. Minors
The Service is not intended for use by persons under the age of 18. We do not knowingly collect personal data from minors. If we become aware that data from a minor has been submitted without the consent of a legal representative, we will immediately delete such data.
12. Your Data Rights
In accordance with the Law of the Republic of Kazakhstan "On Personal Data and Their Protection" and this Policy, you have the following rights:
Request information about what data we hold about you
Request correction of inaccurate or outdated data
Request deletion of your personal data ("right to be forgotten")
Object to processing based on legitimate interest
Receive your data in a structured, machine-readable format
Withdraw consent to data processing at any time
How to Exercise Your Rights
Submit requests to privacy@amanah-ai.com with the subject line "Data Subject Rights Request". We will respond within 30 (thirty) business days.
To verify your identity when processing a request, we may ask for confirmation from the registered email address of your account.
13. Policy Updates
The Controller may update this Policy from time to time. The new version will be published on the website with the date of update. For material changes, registered users will be notified by email.
Continued use of the Service after the updated Policy is published constitutes acceptance of the changes.
14. Contact Information
For any questions relating to the processing of personal data, the exercise of your rights, or this Policy, please contact us:
See also: Terms of Use · Disclaimer