By filling out forms on the AJR website or in the mobile application, I hereby give my consent to Ajr Finance Limited (hereinafter — the “Company”) to collect, store, process, and use my personal and biometric data for the purposes defined in this Privacy Policy and this document, including transfer to authorized data processors (as permitted by law and data protection agreements).
Contact for inquiries: timur@ajr.kz

This Privacy Policy is an official document of Ajr Finance Limited, an Islamic financial company operating under the legislation of the Astana International Financial Centre (AIFC). This Policy governs the collection, storage, processing, and transfer of personal and biometric data of users of the website https://www.ajr.kz and the AJR mobile application (hereinafter — the “User”).
The Policy is developed in accordance with:
– the Law of the Republic of Kazakhstan “On Personal Data and Their Protection”,
– the AIFC Data Protection Regulations,
– Apple App Store Review Guidelines,
– Google Play User Data Policy / Data Safety requirements,
– Islamic principles (amanah, ‘adl, protection of personal dignity).
The User accepts this Policy by marking the checkbox “I have read and agree,” without which registration in the application is not possible.
Contacts: timur@ajr.kz / info@ajr.kz

1. Terms and Definitions
1.1. Company — Ajr Finance Limited.
1.2. User — an individual using the AJR website/application.
1.3. Personal Data — any information that identifies or can identify a User (full name, IIN, contact details, documents, device data).
1.4. Biometric Data — unique facial data including photos, videos, facial templates (face embeddings), and liveness data.
1.5. Identification — establishing identity through biometrics.
1.6. Authentication — confirming a previously identified person.
1.7. Verification — validation of data through governmental or authorized sources.
1.8. Processors — partners involved in data processing (First Credit Bureau, BTS Digital, Firebase, etc.) under Data Processing Agreements.
1.9. Processing — any operation: collection, recording, storage, transfer, deletion.
1.10. Anonymization — irreversible removal of the ability to link data to a person.
1.11. Pseudonymization — processing with separation of data and identifiers.
1.12. Withdrawal of Consent — stopping processing except where required by law.
1.13. Cross-border Transfer — transfer of data to another jurisdiction under lawful grounds.

2. Data Categories Collected (Apple/Google Requirements)
2.1. Data Linked to You— Identity: full name, IIN, date of birth
— Contact Info: phone number, email, residential address
— Identifiers: device ID, IP address, app identifiers
— Financial Info: applications, contracts, installment status, debts
— Sensitive Data: biometrics (face photo/video, templates, liveness data)
— User Content: photos/videos of identity documents
— Usage Data: in-app actions
— Diagnostics: crash logs, technical errors
2.2. Data Not Linked to You
— Aggregated usage statistics
— Performance and analytics metrics
2.3. No Advertising Tracking
The application does not conduct tracking.
We do not use data for advertising, marketing targeting, cross-app tracking, nor do we share data with advertising platforms.

3. Purposes of Data Processing
Data is processed solely for the following purposes:
– registration and account management;
– identity verification and video verification (KYC/AML);
– signing contracts, including legally binding video verification;
– reviewing applications for halal financing;
– providing installment financing services;
– sending push notifications regarding applications and contract statuses;
– fraud prevention;
– compliance with legal and regulatory requirements;
– improving service quality and technical support.

4. External Services and SDKs Used
4.1. Firebase Cloud Messaging (Google)
Used only for sending push notifications (application status, contract updates, technical alerts).
Firebase receives only the device’s technical identifier.
Firebase does not use AJR data for advertising or tracking.
4.2. BTS Digital (Video Verification)
Used to perform identity verification and remote contract signing in accordance with Kazakh law.
Biometric data is transmitted securely and exclusively for identification purposes.
4.3. First Credit Bureau (FCB)
Used for data verification, biometric identification, and anti-spoofing checks.
All services operate under Data Processing Agreements.
5. Principles of Data Processing
The Company follows the principles of:
– lawfulness and fairness,
– transparency,
– data minimization,
– strict purpose limitation (biometrics used only for KYC/signing),
– confidentiality and encryption,
– non-discrimination,
– compliance with Sharia principles (amanah — trust and protection),
– accountability and internal audits.
6. Mobile Application Permissions
The AJR app uses:
– Camera — for photographing documents and biometric identification (photo/video)
– Photo/video capture — for KYC and video verification
The AJR app does not use:
– microphone
– geolocation
– motion sensors
– access to user contacts or media files
7. User Notifications and Consent
Before registration, the User:
– is shown the full Privacy Policy;
– has the opportunity to read it;
– must confirm consent by checking the mandatory checkbox:
“I have read and agree to the Privacy Policy and consent to the processing of personal and biometric data.”
Without this confirmation, registration is not possible.

8. Notifications (push/email/SMS)
The Company may send:
– service notifications (application status, contracts)
– legal notifications (policy changes)
– security alerts
Marketing messages are sent only with separate consent.
The User may unsubscribe via app settings or email.

9. Data Retention Periods
– Personal data is stored for the duration of the contract and up to 5 years afterward unless longer retention is required by law.
– Biometric data is stored only for identification and contract signing purposes and deleted or anonymized afterward.
– After account deletion, data is removed unless legal grounds require retention.

10. Account Deletion and Withdrawal of Consent
The User may delete their account via Profile → Delete Account.
Deletion is available only if there are no outstanding debts or active contracts.
After deletion:
– data is deleted or anonymized;
– a confirmation message is sent.

11. Data Transfer to Third Parties
Data may be transferred to:
– authorized processors (FCB, BTS Digital, Firebase),
– government authorities and regulators (upon official request),
– third parties when necessary to fulfill a contract.
The Company does not sell data and does not transfer data to advertising companies.

12. Cross-border Data Transfer
Allowed only when:
– a lawful basis exists,
– adequate protection is ensured,
– user consent is obtained when required.

13. Security Incidents
In the event of a data breach or suspected breach:
– the Company will take immediate mitigation measures;
– affected users will be notified within 72 hours;
– regulators (AFSA, government bodies of Kazakhstan) will be notified as required.

14. User Rights
The User has the right to:
– obtain information about their data;
– request a copy of their data;
– request correction or deletion (unless contrary to law);
– withdraw consent.
Requests may be submitted to: timur@ajr.kz / info@ajr.kz

15. Children and Minors
The AJR application is not intended for children under 13.
The Company does not knowingly collect data from children.
If a child’s data is detected, it is deleted.

16. Compliance with App Store and Google Play Requirements
The AJR application fully complies with:
– Apple App Store Review Guidelines (5.1.1, 5.1.2, ATT),
– Google Play User Data Policy,
– Google Play Data Safety requirements.
Information shown in App Privacy (Apple) and Data Safety (Google) accurately reflects actual data practices.

17. Changes to the Policy
The Company reserves the right to update this Policy.
Updates are published on the website or in the application.
Continued use of the service signifies acceptance of the updated Policy.

Contacts
Ajr Finance Limited
Email: timur@ajr.kz, info@ajr.kz
Address: Astana, AIFC, Republic of Kazakhstan
For privacy-related inquiries: during business hours, in writing.