Amanah AI
  • Analysis
  • How It Works
  • Pricing
  • Contact
Dashboard
Legal Document

Privacy Policy

Effective date: 1 March 2026  ·  Last updated: March 2026

Obsidian Arrow LLP · Republic of Kazakhstan

Contents
  • 1. Introduction and Data Controller
  • 2. Data We Collect
  • 3. Purposes of Processing
  • 4. Legal Bases for Processing
  • 5. Storage and Retention
  • 6. Data Security
  • 7. Third-Party Disclosures
  • 8. Cross-Border Transfers
  • 9. Cookies and Analytics
  • 10. Payment Data
  • 11. Minors
  • 12. Your Rights
  • 13. Policy Updates
  • 14. Contact Information
Our Principle: The confidentiality of your data is not a formality — it is part of our professional responsibility. We collect only what is necessary, store it securely, and never sell it to third parties.

1. Introduction and Data Controller

This Privacy Policy (the "Policy") describes how Obsidian Arrow LLP (the "Controller", "we", "us") collects, processes, stores, and protects the personal data of users of the Amanah AI platform (the "Service").

The Policy is developed in accordance with the Law of the Republic of Kazakhstan dated 21 May 2013 No. 94-V "On Personal Data and Their Protection" and other applicable regulations.

Data Controller: Obsidian Arrow LLP
Country: Republic of Kazakhstan
Privacy email: privacy@amanah-ai.com
General contact: info@amanah-ai.com

By using the Service, you consent to the processing of your personal data as described in this Policy. If you do not agree with this Policy, please do not use the Service.

2. Data We Collect

Depending on how you interact with the Service, we may collect the following categories of data:

Registration Data
  • First and last name
  • Email address
  • Phone number (if provided)
  • Job title (optional)
  • Hashed password
Company Data
  • Organisation name
  • Business registration number (if applicable)
  • Industry / sector
  • Business model description
  • Document and website links
Analytical Data
  • Scoring questionnaire responses
  • Financial parameters (optional)
  • Uploaded documents
  • Assessment results and reports
Technical Data
  • IP address
  • Browser type and OS
  • Browser language
  • Date and time of visit
  • Pages visited and actions taken
  • Referral source

We do not collect special categories of personal data (racial or ethnic origin, religious beliefs, biometric data, health data) without explicit consent.

Business model data is submitted voluntarily by the user and is required to provide the analytical services. Failure to provide mandatory fields may prevent access to certain features of the Service.

3. Purposes of Data Processing

PurposeDescription
Service delivery Creating and managing accounts, processing applications, generating analytical reports, providing access to the dashboard
Identification and authentication Verifying user identity at login, maintaining account security
Communications Sending reports, application status notifications, and responses to support requests
Service improvement Analysing aggregated usage data to develop new features and improve analytical quality
Payment processing Confirming and recording payments via third-party payment gateways
Security Detecting fraud, abuse, cyberattacks, and unauthorised access
Legal compliance Fulfilling obligations under Kazakhstan law and responding to lawful requests from government authorities
Marketing communications Informing about service updates and new plans — only with explicit consent; unsubscribe at any time

We do not use personal data for automated decision-making that materially affects users' rights without human involvement.

4. Legal Bases for Processing

Personal data is processed on the following legal grounds:

  • Performance of a contract: processing is necessary to provide the services ordered by the user (analytical reports, platform access);
  • Consent: for marketing communications and the submission of optional data;
  • Legitimate interest: ensuring platform security, preventing fraud, improving the service based on aggregated analytics;
  • Legal obligation: responding to lawful requests from authorised government authorities in Kazakhstan.

5. Storage and Retention

5.1. General Principle

Personal data is retained no longer than necessary for the purposes stated in this Policy, or for the period required by applicable law.

Data TypeRetention PeriodBasis
Account dataUntil account deletion + 3 yearsContract performance, legitimate interest
Analytical reports3 years from creationContract performance
Payment records5 yearsKazakhstan tax law
Technical logs12 monthsSecurity, technical purposes
Support email correspondence3 yearsContract performance, legitimate interest
Marketing consent dataUntil consent is withdrawnUser consent

Upon expiry of the retention period, data is permanently deleted or anonymised, unless otherwise required by law.

6. Data Security

The Controller takes reasonable technical and organisational measures to protect personal data against unauthorised access, loss, modification, or disclosure, including:

  • data transmission over encrypted HTTPS/TLS channels;
  • storage of passwords as irreversible cryptographic hashes (bcrypt / SHA-256);
  • database access restricted on a least-privilege basis;
  • regular data backups;
  • monitoring for suspicious activity and unauthorised access attempts.
Important: No system provides absolute security. If you notice signs of account compromise (suspicious login, unauthorised actions), please contact us immediately at security@amanah-ai.com. In the event of a data breach, we will notify affected users within the timeframes required by Kazakhstan law.

7. Third-Party Disclosures

We do not sell, exchange, or transfer users' personal data to third parties for commercial purposes.

Limited data transfers may occur in the following cases:

RecipientDataPurpose
Hosting provider All platform data Storage and processing on servers required to operate the service
Payment gateway Email, amount, order ID Processing payments; card data is not stored by the Controller
Transactional email service Email, name Sending notifications and reports
Analytics services Aggregated / anonymised data Service usage statistics; no personal data transferred
Government authorities Upon lawful request Compliance with Kazakhstan law obligations
Independent Scholar (Investor Pack / on request) Anonymised business data Methodological review of the report; personal data not shared without consent

All third parties receiving data are required to maintain confidentiality and not use data for purposes other than those stated.

8. Cross-Border Data Transfers

To operate the platform, data may be processed on servers located outside the Republic of Kazakhstan. In such cases, the Controller:

  • ensures that the recipient country provides an adequate level of data protection; or
  • enters into appropriate data protection agreements with the recipient; or
  • relies on other legal mechanisms permitted under Kazakhstan law.

Transfers to countries with an inadequate level of data protection are carried out only with explicit user consent or when required by a legal obligation.

9. Cookies and Analytics

9.1. What Are Cookies

Cookies are small text files stored by the browser to enable the website to function and to remember user preferences.

9.2. Types of Cookies We Use

TypePurposeRequired
Essential Enabling session management, authentication, and security Yes
Functional Remembering language settings and user preferences No
Analytical Collecting aggregated visit statistics (without personal identification) No

Users can manage cookie settings in their browser. Disabling non-essential cookies does not prevent use of the core features of the Service.

10. Payment Data

The Controller does not store bank card numbers, payment account details, or other financial credentials of users. All transactions are processed through certified third-party payment gateways compliant with PCI DSS standards.

The Controller stores only:

  • transaction identifier (to link payment to an account);
  • payment status (paid / processing / refunded);
  • amount and date of payment;
  • payer's email address.

11. Minors

The Service is not intended for use by persons under the age of 18. We do not knowingly collect personal data from minors. If we become aware that data from a minor has been submitted without the consent of a legal representative, we will immediately delete such data.

12. Your Data Rights

In accordance with the Law of the Republic of Kazakhstan "On Personal Data and Their Protection" and this Policy, you have the following rights:

Right of Access

Request information about what data we hold about you

Right to Rectification

Request correction of inaccurate or outdated data

Right to Erasure

Request deletion of your personal data ("right to be forgotten")

Right to Object

Object to processing based on legitimate interest

Right to Portability

Receive your data in a structured, machine-readable format

Withdrawal of Consent

Withdraw consent to data processing at any time

How to Exercise Your Rights

Submit requests to privacy@amanah-ai.com with the subject line "Data Subject Rights Request". We will respond within 30 (thirty) business days.

To verify your identity when processing a request, we may ask for confirmation from the registered email address of your account.

Withdrawing consent or requesting data deletion may result in the inability to provide some or all features of the Service. Previously generated reports under paid plans may be retained in archives for the period required by law.

13. Policy Updates

The Controller may update this Policy from time to time. The new version will be published on the website with the date of update. For material changes, registered users will be notified by email.

Continued use of the Service after the updated Policy is published constitutes acceptance of the changes.

14. Contact Information

For any questions relating to the processing of personal data, the exercise of your rights, or this Policy, please contact us:

Company: Obsidian Arrow LLP
Country: Republic of Kazakhstan
Privacy email: privacy@amanah-ai.com
General email: info@amanah-ai.com

See also: Terms of Use  ·  Disclaimer

© 2025–2026 Obsidian Arrow LLP · Amanah AI · All rights reserved.

← Back to Home  ·  Terms of Use  ·  Disclaimer