Privacy Policy | Green SM

1.1. Personal Data — data, including biometric data, relating to an identified or identifiable data subject, recorded on electronic, paper, and/or any other material medium. 1.2. Data Subject — an individual to whom the personal data relates and who accesses, registers on, or uses the Platform, or who accesses the Company website, passenger application, or driver application, and to whom the Personal Data relates. This includes Passengers booking transport services, and Driver-Partners engaging with the Company to provide transportation services through the Platform. All those subject to this Policy are referred to as “Users”, “You”, or “Your”. 1.3. Owner and/or Operator of the Personal Database — a legal entity carrying out the collection, processing and protection of personal data and for the purposes of this Policy, Green and Smart Mobility Technologies Kazakhstan LLP. 1.4. Processing of Personal Data — actions aimed at the collection, storage, modification, supplementation, use, dissemination, depersonalization, blocking, and destruction of personal data. 1.5. This Policy (available at https://www.greensm.com/kz-en/terms-policies/privacy-notice) may be updated, amended, supplemented, or replaced by the Company from time to time. You may regularly access and review the Company’s official website to stay informed of the latest changes. Your continued use of our Services after any modification to this Privacy Policy will constitute Your acceptance of such modification. 1.6. The Company undertakes to comply with the following principles when Processing Personal Data: (i) The Company shall process and protect Personal Data in strict accordance with the Law on Personal Data, other regulatory legal acts of the Republic of Kazakhstan, and contracts established with You; (ii) The Company shall collect Personal Data for specific, clear, and lawful purposes, strictly within the scope of the purposes set out in Section 3 of this Policy; (iii) The Company shall apply appropriate organizational and technical measures to ensure the security, integrity, and confidentiality of Personal Data, including protection against unauthorized or accidental access, destruction, alteration, blocking, copying, or dissemination; (iv) The Company shall store Personal Data in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed.

To enable the Company to process Personal Data for the purposes specified in Section 3 of this Policy, the Company may process the following categories of Personal Data: 2.1. User Profile Data: Information collected when You create or update Your account on the Platform. This may include Your full name, email address, phone number, login name, physical address, payment method or banking details (including payment card verification tokens), date of birth, photo. For Driver-Partners, this additionally includes driving license details, state registration number of the vehicle, insurance policies, and background check information uploaded during onboarding. 2.2. Identity Verification Information: Biometric data (specifically, facial images and technical templates generated from photos) collected and processed solely for the following strictly defined purposes: (i) identity verification and prevention of account takeover, ensure; (ii) ensuring public safety; and (iii) prevention of fraudulent account creation. You may withdraw consent to biometric data processing at any time; however, such withdrawal may result in the Company's inability to provide certain services requiring identity verification, as set out in Section 10.1(v) of this Policy. 2.3. User Content: Communications, text messages, customer support tickets, ratings, reviews, or compliments submitted by You via the Platform. 2.4. Location Data: (i) Passengers: The Platform collects precise or approximate location data from the moment a ride request is initiated until the completion of the Trip, for the purpose of route mapping, driver-passenger matching, safety monitoring, and fare calculation. Location data is not collected outside of active Trip sessions unless you have provided separate consent for off-trip location access. (ii) Driver-Partners: The Platform collects precise real-time location data when the driver application is running in the foreground (app open and on-screen) to enable order dispatch, passenger matching, and route optimization. When the driver application is running in the background (app open but not on-screen), the Platform continues to collect precise location data for the following purposes only: (a) enabling the Driver-Partner to receive and accept ride requests; (b) ensuring safety and availability of emergency assistance; and (c) verifying compliance with applicable regulatory and licensing requirements. Background location collection by Driver-Partners is conducted on the basis of a separate, explicit consent provided during the Driver-Partner onboarding process. Driver-Partners may withdraw consent to background location collection at any time; however, such withdrawal will result in the inability to receive ride requests while the application is not in the foreground. 2.5. Transaction Information: Details regarding Trips executed via the Platform, including the type of service requested, specific trip details, date and time, amount charged, distance traveled, promotional codes applied, and payment method used. 2.6. Device Information: Technical data regarding the hardware models, device IP address, operating system versions, software file names, preferred language settings, unique device identifiers, advertising identifiers, serial numbers, and mobile network operator details. 2.7. Communications Data: Metadata and content of phone calls or SMS messages exchanged between Passengers and Driver-Partners facilitated via the Platform's masked communication masking technology (which hides telephone numbers from both participants). 2.8. Data from other sources: Information obtained from marketing partners, financial institutions, state databases (where permitted by law), and third-party fraud detection service providers.

Personal Data may be processed for one or more of the following purposes: 3.1. Assessing the ability to provide products, services and/or enter into contracts (i) Identifying and verifying your information for the purpose of enabling access to and use of the Company’s Platform and services; Verifying that you are who you say you are by using the account information you provide during signup (such as name, contact information, date of birth or payment information) alongside insights from identity and fraud prevention third-party databases. Verifying your age and that your account is being used by you and not by someone else. (ii) Collecting your ID number and/or a photo of your ID, and completing a verification to confirm that the ID is valid, unaltered and that no other account is associated with that document. (iii) Evaluating, reviewing, and approving the provision of products and services based on your registration documents, applications, and contracts; (iv) Conducting background verification for drivers who provide transportation services (v) Considering the provision or continuation of any products or services of the Company to you. 3.2. Performing obligations under contracts, agreements, terms, conditions, and other instruments between the Company You, and supporting you, including but not limited to the following purposes: (i) Fulfilling contractual obligations and providing products and services to you; (ii) Updating and processing your information; (iii) Handling complaints and disputes by or related to you; (iv) Using and transferring Personal Data and related information to partners for identifying and resolving product or service issues; (v) For Contacting and notifying you; (vi) Implementing promotional programs, gift exchanges, awards, and delivery of gifts; (vii) Performing other customer care and support activities; (viii) For safety and security reasons; (ix) Providing live support during your trips. 3.3. Improving the quality of the Company’s products and services, including but not limited to: (i) Providing information upon request or when deemed useful by the Company; (ii) Enhancing technology, website interface, social media platforms, and applications to ensure your convenience; (iii) Managing your accounts and/or customers and loyalty programs; (iv) Compiling statistics and analyzing data for research, development, and improvement of products and services; enhancing your experience; (v) Developing and offering new products and services personalized to your needs; (vi) Introducing and providing promotional programs and incentives for the Company’s products and services and those offered in cooperation with partners; (vii) Recommending products and services that you may be interested in based on preference identification of you and/or customers. (viii) Use your Personal Data to understand your interests, preferences, or characteristics about you, and personalize ads we show you; (ix) Send push notifications suggesting your favorite destinations or merchants, or in-app messages offering discounts or promotions for products or merchants similar to those you’ve previously ordered; (x) Providing customer support for investigating and addressing user concerns, including investigating user reported misconduct (such as inappropriate messages or fraud), monitoring and improving our customer support responses and processes, and identifying potential participants in research studies relating to customer support issues. (xi) Providing customer support for investigating and addressing concerns raised by the drivers, including investigating user reported misconduct (such as inappropriate messages or fraud), monitoring and improving our customer/driver support responses and processes, and identifying potential participants in research studies relating to customer support issues. (xii) Display personalized ads on the Platform. 3.4. Supporting the Company’s business operations, management, and development, including but not limited to fulfilling reporting, financial, accounting, and tax obligations, audit purposes, compliance activities, human resource development, work quality improvement, and other related activities serving the Company’s lawful business operations as deemed necessary. 3.5. Restructuring or transferring projects/businesses: During business operations, the Company may sell or purchase businesses, restructure, or transfer projects or other services in accordance with the law. Accordingly, Personal Data and general information usage rights shall be among the assets transferred. In all cases, the transfer and Processing of Personal Data shall be carried out by the parties in compliance with the law and this Policy. 3.6. Developing marketing, advertising, and trade promotion campaigns, including campaigns based on your preferences. 3.7. Prevention, control, investigation, and detection of acts in violation of the Company’s regulations and applicable laws. 3.8. Safeguarding public order and safety, and protecting your lawful rights and interests, the Company, and other related parties. 3.9. Compliance with applicable laws and international treaties ratified by the Republic of Kazakhstan, including but not limited to investigate or address claims or disputes relating to use of the services; to satisfy requirements under and/or for purposes of compliance with, applicable laws, regulations, operating licenses, agreements or insurance policies; or pursuant to legal process or governmental request, including from law enforcement. 3.10. Other purposes subject to your consent.

4.1. To the extent permitted by law, You acknowledge that the Company may share Personal Data for the purposes stated in this Policy with the following organizations and individuals: (i) The Company’s parent company, subsidiaries, and affiliates (including Green and Smart Mobility Kazakhstan LLP); (ii) Service providers and/or entities cooperating with the Company, including but not limited to: agents, auditors, legal counsel, business partners, providers of IT solutions, software, applications, operational services, management, troubleshooting, infrastructure development, and services aimed at trade promotion; (iii) Any individual or organization acting as your representative or authorized party; (iv) Advertising and marketing partners and providers, including advertising publishers (such as social media platforms), advertising networks and advertisers, third-party data providers, advertising technology vendors, measurement and analytics providers, and other advertising service providers, solely to the extent necessary to enable delivery of advertising and measurement of advertising effectiveness on the Platform. (v) Advertising intermediaries: The Company shares data — including advertising or device identifiers, hashed email addresses, approximate location, current trip information, and ad interaction data — with advertising intermediaries to enable the delivery of targeted advertising on and for such other purposes as are disclosed in their privacy notices. You may opt out of ad personalization or by contacting Green SM at support.kz@greensm.com. Withdrawal of consent to personalized advertising does not affect the lawfulness of advertising processing carried out prior to withdrawal and will not affect delivery of non-personalized advertising. (vi) Cloud storage providers. (vii) Customer support platform and service providers. (viii) Third party navigation service providers, in connection with the use of maps in the Platform. (ix) Identity verification and risk solutions providers. (x) Payment service provider, gateways, processors and facilitators. (xi) Research partners, including those performing surveys or research projects in partnership with the Company or on Company’s behalf. (xii) Service providers that assist the Company to enhance the safety and security of the Platform and services. (xiii) Service providers that provide us with artificial intelligence and machine learning tools and services. (xiv) For conducting background verification of the information/documents provided by You to be engaged as driver with the Company. 4.2. Data sharing shall be carried out in accordance with the proper procedures, methods, and applicable laws. Recipients of Personal Data shall be obligated to maintain confidentiality in compliance with this Policy, the Company’s internal regulations, standards for Personal Data protection, and applicable laws. 4.3. The Company may be required to share Personal Data with competent state authorities as prescribed by law. The Company may share your data if it’s required by applicable law, regulation, operating license or agreement, or governmental request, insurance policy, or where the disclosure is otherwise appropriate due to safety or similar concerns. This includes sharing data with law enforcement officials, public health officials, other government authorities, insurance companies, third-party fleet partners, or other third parties as necessary to enforce our terms and conditions, user agreements, or other policies; to protect the Company’s rights or property or the rights, safety or property of others; or in the event of a claim or dispute relating to the use of our services. 4.4. You acknowledge and expressly agree that the Company’s partners, contractors, affiliates, and other third-party recipients may receive, store, use, share, and otherwise process Your Personal Data on behalf of the Company and/or in connection with the provision of the respective services. Such processing shall be strictly limited to the scope necessary to achieve the purposes outlined in this Policy and shall be conducted in full compliance with the applicable laws of the Republic of Kazakhstan.

Personal Data is stored for as long as you maintain an account with the Platform. The details such as transactions, location, usage and other information is stored and retained for a period as required under applicable laws. The retention period for Personal Data is determined based on the purposes of use as stated in this Policy and in compliance with applicable laws.

6.1. The Company shall not sell Personal Data to any party. The Company applies necessary security measures to ensure that the transfer/sharing of Personal Data is safe. Personal Data may be shared as set out in Clause 4 above or other cases as permitted by law. 6.2. Cross-Border Transfer of Personal Data. (i) The Company may cross-border transfer Personal Data to recipients located in foreign states, as may be necessary for the purposes stated in this Policy. Some of these jurisdictions may not provide a level of personal data protection equivalent to that established by the laws of the Republic of Kazakhstan. (ii) Cross-border transfer of Personal Data is carried out in accordance with Article 22 of the Law on Personal Data, and solely for the purposes enumerated in Section 3 of this Policy. (iii) Prior to cross-border transfer of Personal Data to jurisdictions that do not provide an adequate level of protection, the Company ensures that the recipient has undertaken to maintain a level of protection of Personal Data no lower than that established by the laws of the Republic of Kazakhstan. (iv) By accepting this Policy, you expressly and separately consent to the cross-border transfer of your Personal Data, including biometric and location data, to the jurisdictions identified above, understanding that the laws of such jurisdictions may not provide protection equivalent to the laws of the Republic of Kazakhstan. You have the right to withdraw this consent at any time in accordance with Section 10.1(v) of this Policy.

Personal Data is analyzed based on the Company’s internal processes, data confidentiality principles, and information security standards for IT systems.

When necessary, Personal Data collected shall be encrypted in accordance with appropriate encryption standards during storage, transfer, and processing to ensure that data is always protected.

9.1. When the contractual relationship terminates or when the use of the Company’s products or services ends, or upon a valid request from you, the Company shall delete the stored Personal Data except in the following cases: (i) The applicable law prohibits deletion or requires mandatory retention of data; (ii) Personal Data is processed by competent state authorities for the purpose of serving state operations in accordance with the law; (iii) Personal Data has been lawfully disclosed under applicable laws; (iv) Personal Data is processed for legal requirements, scientific research, or statistical purposes in accordance with the law; (v) In cases of national defense or security emergencies, public order and safety, major disasters, dangerous epidemics; when there is a threat to national security or defense but not to the extent of declaring a state of emergency; prevention and control of riots, terrorism, crime, and legal violations. 9.2. Throughout the entire process of Personal Data Processing, confidentiality is the Company’s highest priority. The Company applies appropriate technical measures to prevent unauthorized access or use of Personal Data. The Company also regularly cooperates with security experts to update the latest cybersecurity techniques to ensure the safety of Personal Data. Your Payment card data issued by financial institutions is protected under the principle that critical card data (card number, cardholder name, CVV) is not recorded in the Company’s systems. Your payment transactions are carried out on the relevant bank’s system.

10.1. Subject to applicable laws, the Data Subject shall have the following rights in relation to the Processing of Personal Data by the Company: (i) to know whether Your Personal Data is held by the Company or third parties, and to receive information confirming the fact, purposes, sources, methods of collection and processing, the list of Personal Data, and the processing and retention periods; (ii) to demand from the Company to correct, supplement, or update Your Personal Data if there are grounds confirmed by relevant documents; (iii) to demand from the Company or third parties to block Your Personal Data if there is information indicating a violation of the conditions for its collection and processing; (iv) to demand from the Company or third parties to destroy Your Personal Data if its collection and processing were conducted in violation of the applicable laws of the Republic of Kazakhstan, or in other cases established by law; (v) to withdraw Your consent to the collection, processing, cross-border transfer, and sharing of Your Personal Data with third parties (except in cases where continued processing is required by law or for the fulfillment of an unfulfilled legal or contractual obligation); (vi) to give or refuse consent for the dissemination of Your Personal Data in publicly available sources; (vii) to protect Your rights and legitimate interests, including seeking compensation for moral and material damages in accordance with applicable laws; (viii) other rights under applicable laws. 10.2. Exercise of Rights: (i) You may exercise the rights set out in this Section 10.1 by submitting a request to the Company through the contact details notified by the Company for this purpose. (ii) For the purposes of processing any request, the Company may require you to verify their identity using reasonable and lawful means. (iii) The Company shall respond to and act upon lawful and valid requests from you within the timelines prescribed under the applicable laws. (iv) Where You request for the withdrawal of Consent or exercise of any right by you results in the Company being unable to continue providing certain products, services, or functionalities that are dependent on such processing, the Company may be required to discontinue or limit the provision of such products, services, or functionalities, in accordance with the applicable laws. 10.3. Grievance Redressal: (i) The Company shall establish and maintain an effective grievance redressal mechanism for addressing complaints or grievances raised by Data Subjects in relation to the Processing of Personal Data. (ii) Any grievance raised by you shall be addressed by the Company within the timelines prescribed under the applicable laws. (iii) In the event, you are not satisfied with the resolution of a grievance by the Company, or where the Company fails to respond within the prescribed timelines, the Data Subject shall have the right to escalate such grievance as per applicable laws. 10.4. Limitations (i) Your exercise of rights shall be subject to such limitations, conditions, and exemptions as may be prescribed under the applicable laws. (ii) The Company may refuse or restrict the fulfillment of a request where such refusal or restriction is permitted under the applicable laws, including where: (a) the request is manifestly unfounded or excessive; (b) compliance with the request would violate any law for the time being in force; or (c) retention or Processing of Personal Data is required for compliance with the applicable laws or any other legal obligation.

11.1. Protect their own Personal Data; request relevant organizations or individuals to protect their Personal Data. Promptly notify the Company upon discovering any errors, mistakes, leaks, or suspected breaches of Personal Data. 11.2. Respect and protect the personal data of others. 11.3. Provide complete and accurate Personal Data when consenting to its processing. If any information is incorrect, you shall bear all costs incurred if such information affects or limits their rights and interests. 11.4. Comply with legal provisions on personal data protection and participate in preventing and combating violations of personal data protection regulations. 11.5. Other responsibilities as prescribed by applicable laws.

12.1. The Company employs various information security technologies such as firewalls, access control measures, and encryption to protect and prevent unauthorized access, use, or sharing of Personal Data. However, the Company cannot guarantee absolute security of Personal Data in certain circumstances, including: (i) Hardware or software errors during data processing resulting in loss of your Personal Data; (ii) Security vulnerabilities beyond the Company’s control, including system attacks by hackers or cybercriminals causing data breaches. 12.2. The Company advises you to keep confidential all information related to account login credentials, OTP codes, and not to share such information with any other person. 12.3. You should be clearly aware that at any time when they disclose or publicly share their Personal Data, such data may be collected and used by others for purposes beyond your control and the Company. 12.4. The Company recommends that you secure your personal devices (mobile phones, tablets, personal computers, etc.) during use. You should log out of their account when not in use. 12.5. In the event that the data storage server is attacked, resulting in loss or leakage of Personal Data, the Company shall be responsible for notifying the competent authorities for timely investigation and handling, and informing you in accordance with applicable law. 12.6. Cyberspace is not an entirely secure environment, and the Company cannot guarantee absolute security for Personal Data shared over the internet. When transmitting Personal Data online, you should only use secure systems to access websites, applications, or devices. You are responsible for keeping your authentication credentials for each website, application, or device safe and confidential.

13.1. Personal Data shall be processed from the time the Company lawfully receives the Personal Data and has an appropriate legal basis to process such data in accordance with the applicable laws. 13.2. Personal Data shall be processed until the purposes of data processing have been fulfilled. 13.3. The Company may be required to retain Personal Data even after the termination of the contract between the parties to fulfill obligations under the law and/or at the request of competent state authorities.

The Platform may contain links to third-party websites or services (“External Resource”). Your browsing on and interaction with any External Resource, irrespective of whether the link to such External Resource originated on our Platform, is subject to the terms and privacy policies of such External Resource. We are not responsible for the functionality, privacy, or security measures of any other entity and this Privacy Policy will not govern your use and access of such website or service you are redirected to.