Personal Data Privacy Policy
This Policy is an official document of Ajr Finance Limited, an Islamic financial company incorporated and operating under the laws of the Astana International Financial Centre (hereinafter – the Company). The Policy governs the collection, storage, transfer, and use of biometric data of users of the website https://www.ajr.kz and/or the AJR mobile application (hereinafter – the User) for the purposes of identity verification and ensuring the security of Islamic financial transactions. The document has been developed in accordance with the Law of the Republic of Kazakhstan “On Personal Data and Their Protection”, the AIFC Data Protection Regulations, as well as principles of Sharia (fiqh al-muamalat) relating to the protection of entrusted information (amanah).
1. Terms and Definitions
1.1. Company – Ajr Finance Limited, an Islamic financial company incorporated and operating under the laws of the Astana International Financial Centre (AIFC), which processes personal and biometric data for identifying Users and providing Islamic financial products and services.
1.2. User – an individual who uses the Company’s website, the “AJR” mobile application and/or other digital services of the Company, whose personal and/or biometric data are processed by the Company.
1.3. Personal data – any information relating to an identified or identifiable User (including but not limited to: full name, Individual Identification Number (IIN), contact details, address, payment details, device data and network identifiers).
1.4. Biometric personal data (biometric data) – unique physiological and/or behavioural characteristics of the User that enable unambiguous identification of the person, including:
1.4.1. Face image / its mathematical template (face image / face embedding);
1.4.2. Voice / voice characteristics (voiceprint);
1.4.3. Fingerprints / palm prints;
1.4.4. Iris / vascular pattern image and other ophthalmologic markers;
1.4.5. Behavioural parameters (keystroke dynamics, gait, device-interaction patterns);
1.4.6. Liveness data confirming that a biometric sample is captured from a live person rather than a spoofed medium.
1.5. Biometric template (reference) – a mathematical representation (vector, hash, or other digital structure) generated from the User’s biometric sample and intended for subsequent comparison (matching) with newly obtained samples.
1.6. Identification – establishing the User’s identity by comparing his or her biometric data with a previously created biometric template.
1.7. Authentication – confirmation that the current biometric sample belongs to a previously identified User (one-to-one verification).
1.8. Verification – a set of procedures for validating the accuracy of personal and biometric data, including cross-checking with state and/or other authorised sources.
1.9. Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain aspects relating to a User (e.g., creditworthiness), excluding the use of biometrics for identification and fraud-prevention purposes.
1.10. Processing of personal/biometric data – any operation or set of operations performed on data, whether or not by automated means: collection, recording, organisation, storage, updating, alteration, use, comparison, transfer (dissemination, provision, access), depersonalisation, restriction, blocking, or destruction.
1.11. Automated processing – data processing using computing systems and algorithms (including machine learning) applied, in particular, to generate biometric templates and perform comparisons.
1.12. Depersonalisation – actions resulting in the impossibility of identifying a specific User without additional information.
1.13. Pseudonymisation – data processing in such a way that they cannot be attributed to a specific User without additional information, which is stored separately and protected by technical and organisational measures.
1.14. Anonymisation – irreversible depersonalisation of data, eliminating the possibility of re-identification of the User.
1.15. Encryption – the use of cryptographic methods to protect personal and biometric data during storage and/or transmission.
1.16. Consent to processing – a voluntary, specific, informed and unambiguous expression of the User’s will to allow processing of his or her personal and/or biometric data for the stated purposes, provided electronically or in writing, with logging of the fact of consent.
1.17. Withdrawal of consent – the expression of the User’s will to terminate the processing of his or her personal and/or biometric data insofar as based on consent; this does not affect processing required by law, for the protection of the Company’s legitimate interests, or for compliance with legal obligations.
1.18. First Credit Bureau (FCB) – an organisation conducting scoring, verification and/or biometric identification of Users based on the laws of the Republic of Kazakhstan and contracts with the Company, including anti-spoofing and liveness detection mechanisms.
1.19. Third parties / authorised processors – entities processing data on behalf of the Company under confidentiality and data protection agreements (e.g., FCB, payment processors, cloud service providers, anti-fraud solution providers).
1.20. Data transfer – the provision of personal and/or biometric data to a third party, including cross-border transfer, provided there are lawful grounds and adequate protection safeguards.
1.21. Cross-border data transfer – transfer of personal and/or biometric data to a foreign state or jurisdiction outside Kazakhstan/AIFC, subject to compliance with Kazakh and AIFC requirements on adequacy of protection.
1.22. Regulators – authorised bodies and organisations exercising oversight and regulation in the relevant field, including the AIFC Financial Services Authority (AFSA) and state authorities of the Republic of Kazakhstan acting within their competence.
1.23. Information security incident / data breach – an event that has led or could lead to unauthorised access, alteration, disclosure, destruction, or blocking of personal/biometric data.
1.24. Data Protection Impact Assessment (DPIA) – a documented risk assessment procedure analysing potential impacts and mitigation measures, particularly regarding biometric processing, conducted by the Company in cases required by law or internal policies.
1.25. Retention period – the time during which personal and/or biometric data are stored in a form allowing identification of the User, after which the data must be deleted or anonymised unless otherwise required by law.
1.26. Data destruction – actions rendering recovery of personal and/or biometric data impossible (including crypto-erasure, secure data wiping, or physical destruction).
1.27. AML/KYC – anti-money laundering and counter-terrorist financing measures, including client identification and verification in accordance with the laws of Kazakhstan and the AIFC.
1.28. Sharia ethical principles in data handling – the principles of justice (‘adl), trust (amanah), protection of human dignity, and prohibition of harm, applied by the Company when determining purposes and methods of personal and biometric data processing.
2. Principles of Biometric Data Processing
2.1. Lawfulness and fairness. The processing of Users’ biometric data is carried out exclusively on legal grounds provided for by the legislation of the Republic of Kazakhstan, AIFC acts, the Company’s internal policies, and the principles of Sharia. All operations are performed in good faith, transparently, and do not allow actions that harm the User or violate their rights.
2.2. Purpose limitation. The collection and use of biometric data are permitted only for the purposes explicitly defined in this Policy: identification, authentication, fraud prevention, and fulfilment of contractual obligations. The use of biometric data for marketing, advertising, analytics, or profiling not related to identification is prohibited.
2.3. Data minimisation. The Company collects and processes only the amount of biometric information objectively necessary for the stated purposes. Excessive data are not collected, stored, or used. Templates are formed and stored in depersonalised or pseudonymised form, except where direct identification is required by law.
2.4. Accuracy and data relevance. The Company ensures that biometric data are accurate, complete, and up to date. The User has the right to update, correct, or delete their data in accordance with this Policy.
2.5. Storage limitation. Biometric data are stored only for the period necessary to achieve the purposes of processing. Upon expiry, the data are deleted or anonymised unless otherwise required by law.
2.6. Confidentiality and security. The Company applies organisational, technical, and cryptographic measures to protect data from unauthorised access, alteration, copying, disclosure, destruction, or other unlawful actions. Access is granted only to authorised employees and contractors bound by data protection agreements (including FCB). Systems comply with recognised information security standards, including ISO/IEC 27001.
2.7. Transparency. The Company provides Users with clear information about the purposes, methods, and legal bases of biometric processing, as well as Users’ rights and control mechanisms. This Policy is published on the website and in the mobile application, and Users are notified in advance of any amendments.
2.8. Informed consent. Before processing begins, the Company obtains clear and explicit consent from the User. Consent is given voluntarily, based on sufficient information about purposes and consequences, confirmed by an electronic action, and recorded with time, date, and source. Consent logs are stored for audit purposes.
2.9. Non-discrimination. Processing of biometric data shall not result in discrimination based on gender, nationality, religion, origin, social status, or any other characteristic. Algorithms used for identification are tested for bias and compliance with ethical and technical standards.
2.10. Religious-ethical integrity. The Company follows Sharia principles, including amanah (trust), ‘adl (justice), maslahah al-ummah (public good), and hifz al-‘ird wa an-nafs (protection of dignity and self). Biometric data are treated as a trust, which imposes a higher moral and religious responsibility.
2.11. Accountability and audit. The Company documents the grounds, purposes, sources, retention periods, protective measures, and access to biometric data. Internal audits are conducted at least once a year. Upon request of regulators (AFSA and authorised bodies of Kazakhstan), the Company provides reports and audit results.
3. Biometric Data Retention Periods
3.1. Users’ biometric data are stored in the Company’s database and/or the secure infrastructure of the First Credit Bureau strictly for the period necessary to achieve the purposes specified in this Policy, namely: during the term of contractual relations between the User and the Company; for the duration of the Islamic financial product (including but not limited to Murabahah, Ijarah, Musharakah, Salam, Istisna); and for the time required to fulfil the Company’s obligations established by the laws of Kazakhstan, AIFC, and regulatory bodies (AFSA, ARFR, and the National Security Committee during KYC/AML procedures).
3.2. Upon expiry of the above periods or withdrawal of the User’s consent, biometric data shall be deleted or irreversibly anonymised, except when retention is required: for dispute resolution or claims; to meet statutory accounting and recordkeeping requirements; or pursuant to a lawful request of a court, law enforcement, or regulatory authority.
3.3. The standard retention period for biometric data after contract termination is five (5) years unless otherwise established by the Company’s internal policies or AIFC regulations. After expiry, data are securely erased or cryptographically deleted to prevent recovery.
4. Database Storage and Protection
4.1. All personal and biometric data of Users are stored in the Company’s centralised database hosted on servers certified under recognised information security standards (including ISO/IEC 27001 and PCI DSS) and located in the Republic of Kazakhstan and/or AIFC-accredited data centres.
4.2. Access to the database is strictly limited to employees and contractors whose duties directly relate to identification, verification, and customer servicing. All such individuals undergo background checks, training, and assume personal responsibility for maintaining confidentiality.
4.3. Data transmission between the Company’s systems and the First Credit Bureau’s infrastructure is encrypted using TLS 1.3 protocols and encryption algorithms approved by regulators.
4.4. The Company employs a multi-layered security system, including multi-factor authentication, access control, activity logs, threat monitoring, antivirus protection, and regular vulnerability testing.
5. User Information and Notifications
5.1. During registration, application submission, identity verification, or contract conclusion on the Company’s website or in the mobile application, the User is informed that the collection and processing of personal and biometric data are required for service provision and security.
5.2. Prior to activation of services or use of functions requiring identification, the User receives a clear notice describing the purposes, scope, and categories of collected data, retention periods, and possible recipients.
5.3. By clicking “Agree”, “Continue”, “Accept”, or “Confirm”, the User expresses full, voluntary, and informed consent to the processing of personal and biometric data, including their transfer to the First Credit Bureau and other authorised organisations.
5.4. The Company may send the User notifications relating to the use of data, identity confirmation, privacy policy updates, technical improvements, or security matters. Notifications may be delivered as push messages, SMS, emails, or in-app messages.
5.5. Informational or marketing communications unrelated to identification and security are sent only upon separate consent of the User, which may be withdrawn at any time through profile settings or customer support.
6. Data Categories and Notification of Collection
6.1. The Company collects and processes the following categories of User data: personal data (full name, date of birth, IIN, phone number, email address, residential address, citizenship); document data (scans or photos of ID, passport, or other identifiers); biometric data (facial images, video, voice, fingerprints, liveness parameters); device data (model, IP address, browser type, operating system, access time, geolocation); behavioural data (registration, login, verification, application submissions, and interactions within the app).
6.2. All data are collected directly from the User or from official partners (in particular, the First Credit Bureau) only after obtaining explicit consent.
6.3. The Company undertakes to notify the User in case of changes in the list of collected data, purposes of processing, storage location, or designation of third-party processors.
6.4. The User has the right to request from the Company: which data are stored; by whom and for what purposes they are processed; their retention period and possibility of deletion; and a copy of their consent or identification report.
7. Acceptance and Legal Force of Consent
7.1. By clicking “Accept”, “Agree”, “Confirm”, registering in the application, using functionality that requires identification, or signing a contract electronically, the User is deemed to have legally accepted the terms of this Policy and provided consent for the processing of personal and biometric data.
7.2. Acceptance means that the User confirms: receipt of notice regarding the purposes, scope, and retention period of data; understanding of the legal implications of data processing; and voluntary, informed consent.
7.3. The Company maintains electronic logs of acceptances (recording date, time, IP address, device type, and app version) and stores such records for a period equal to the data retention period or for five (5) years following withdrawal of consent.
7.4. Acceptance of this Policy means the User has been informed about the storage of their data in the Company’s secure database and the infrastructure of the First Credit Bureau, and agrees to receive notifications related to the use of such data.
8. Final Provisions
8.1. This Policy enters into force upon publication on the official website of the Company and remains valid indefinitely until replaced by a new version.
8.2. The Company reserves the right to update this Policy to ensure compliance with amendments to the legislation of the Republic of Kazakhstan, AIFC acts, or recommendations of the Company’s Sharia Supervisory Board.
8.3. All amendments are published publicly and take effect upon posting. Continued use of the Website or the Application after publication of an updated Policy constitutes acceptance of the changes by the User.
8.4. Any disputes or disagreements related to the processing of personal and biometric data shall be resolved through negotiations. If resolution cannot be achieved, the dispute shall be subject to consideration under the laws of the Republic of Kazakhstan or, where applicable, within the jurisdiction of the Astana International Financial Centre (AIFC).
9. Data Security Guarantees and Usage Restrictions
9.1. The Company guarantees that Users’ personal and biometric data shall not be sold, transferred, exchanged, distributed, or otherwise used for commercial purposes outside the scope of Islamic financial services and identification processes. Any use of data is permitted solely on lawful grounds and in compliance with Sharia principles, the legislation of the Republic of Kazakhstan, and AIFC regulations.
9.2. The Company does not transfer personal or biometric data of Users to third parties, except when such transfer: is necessary for execution of a contract with the User; is made to authorised Company partners (including the First Credit Bureau, payment operators, scoring or verification providers) bound by confidentiality and data protection agreements; or is required by law, court decision, or an official request of a competent authority.
9.3. All Company partners and contractors granted access to personal or biometric data must maintain confidentiality, use data only for purposes agreed with the Company, and ensure a level of protection not lower than that established by the Company.
9.4. The Company guarantees that it does not use, transfer, or store User data in foreign countries or organisations that do not provide an adequate level of data protection. Cross-border data transfer is permitted only with the User’s written consent and in compliance with the legislation of Kazakhstan and the AIFC.
9.5. In the event of unauthorised access, data breach, copying, loss, or destruction of personal or biometric data (information security incident), the Company shall: immediately take measures to localise and eliminate the consequences of the incident; conduct an internal investigation and security audit; notify affected Users within 72 hours from discovery; notify regulatory authorities — the AIFC Financial Services Authority (AFSA) and authorised state bodies of Kazakhstan — as required by law; and document the incident, its consequences, and corrective actions.
9.6. The User notification shall include: the date and time of the incident; the category of affected data; potential consequences and risks; contact details of the responsible Company officer; and recommended measures to minimise risks (e.g., password change, data update).
9.7. The Company is responsible for safeguarding personal and biometric data within its control and legal capacity. However, the Company shall not be liable for damage caused by: actions of third parties who gained illegal access to data despite the Company’s compliance with all required security measures; unauthorised use of data by the User (e.g., sharing passwords, login credentials, or device access); or force majeure events making protection objectively impossible.
9.8. The User acknowledges and agrees that the Company shall not be obliged to compensate losses resulting from actions of third parties unaffiliated with the Company, provided that the Company applied all reasonable protection measures as required by law and internal policies.
9.9. The Company confirms that the User database is its property, protected by law and Sharia principles, and used exclusively for legitimate contractual and legal purposes between the User and the Company.
9.10. Any other use, transfer, exchange, duplication, or processing of data not provided for in this Policy without the User’s consent is strictly prohibited and shall be treated as a violation of the laws of Kazakhstan, AIFC acts, and the Company’s internal standards.
10. Use of Data for Marketing, Informational, and Communication Purposes
10.1. The Company reserves the right to use personal data provided by the User (full name, contact details, phone number, email address, AJR application ID, and anonymised service usage data) for informing, notifying, and providing the User with personalised offers, promotions, and service updates.
10.2. The Company may send the User the following types of notifications and messages: service notifications (application status, contract signing, condition updates, data renewal requests, identity confirmation); legal notices (policy changes, regulations, service terms); and informational or marketing communications related to Islamic financial products, new services, special offers, educational, and awareness initiatives.
10.3. The Company guarantees that marketing messages will not contain information contradicting Islamic ethical standards (e.g., alcohol, gambling, usury, tobacco, or other prohibited activities).
10.4. All newsletters and communications are based on separate consent from the User, expressed by: confirming participation in promotions, loyalty or referral programs, surveys, or other Company activities; selecting the relevant option in the personal account, app, or registration form (“I agree to receive informational and promotional messages”); or providing contact details for feedback within subscription or inquiry forms.
10.5. The User may withdraw consent to receive marketing messages at any time by disabling notifications in app settings, clicking the “Unsubscribe” link in an email or SMS, or sending a written request to info@ajr.kz or via the feedback form on www.ajr.kz.
10.6. Withdrawal of consent does not affect the legality of processing carried out prior to withdrawal and does not restrict data use for contractual, service, or legal compliance purposes.
10.7. The Company may use User data for statistical analysis, aggregation, and anonymised analytics (e.g., user activity, preferences, product usage frequency) without identifying specific individuals.
10.8. The Company may engage partners (marketing agencies, digital platforms, telecom operators, analytics providers) to conduct joint campaigns and communications. Such partners act strictly under contracts with the Company, are bound by confidentiality, and may use data only within the granted scope.
10.9. The Company does not transfer personal or biometric data to unrelated third parties that are not bound by data protection agreements.
10.10. Participation of the User in marketing programs, promotions, bonus or referral campaigns is voluntary. Participation and data submission constitute the User’s consent to the use of such data for campaign management, result summarisation, and notification.
10.11. The Company may use User data to personalise app interfaces, adapt content, provide relevant offers and recommendations, improve service quality, and develop Islamic financial products.
10.12. When using data for analytics or personalisation, the Company does not employ automated decision-making producing legal consequences for the User without human involvement. All decisions affecting the User’s rights and interests are made with human review.
10.13. The Company respects the User’s choice and undertakes not to exert pressure or influence in obtaining consent for communications. All consent forms shall be clear, transparent, and separate from other terms.
10.14. The Company keeps records of all consents granted for participation in marketing campaigns, their duration, and withdrawal facts. Such records may be stored for five (5) years after the program ends or until User data deletion, whichever occurs first.
10.15. The User acknowledges and agrees that providing consent to receive informational and marketing messages implies awareness that their contact data may be used to notify them about products, offers, and services of the Company and its partners engaged in Islamic finance activities under the laws of the Republic of Kazakhstan and AIFC.