This Policy applies to the processing of personal data when using the website https://aiback.uz (hereinafter - the “Website”), its subdomains and other Общества с ограниченной ответственностью "AIBACK" (LLC "AIBACK"), TIN 313 029 699, зарегистрированное по законодательству Республики Узбекистан (далее - "Компания" или "AIBACK") web pages, as well as personal accounts of Visitors, Users and Partners, mobile and/or desktop applications, integrations via API, iFrame, White‑Label technologies and other similar online channels of access to the AIBACK service.

1.1. “Personal data” means any information relating to an identified or directly or indirectly identifiable natural person (data subject), as understood under the laws of the Republic of Uzbekistan and applicable laws of other countries in the region;

1.2. “Processing of personal data” means any operation or set of operations performed on personal data (collection, recording, systematization, storage, modification, use, anonymization, blocking, destruction, cross‑border transfer, etc.);

1.3. “Personal data controller (operator)” means a person who, alone or jointly with others, organizes and/or carries out the processing of personal data, as well as determines the purposes of processing and the scope of data in accordance with the Law of the Republic of Uzbekistan “On Personal Data”.

1.4. With regard to:
a) data of visitors to the AIBACK website (marketing, web analytics, feedback forms), AIBACK acts as a personal data controller (operator);
b) data of end users of our clients (for example, buyers leaving reviews on marketplaces), AIBACK as a rule acts as a data processor, acting on behalf of and in accordance with the instructions of the respective client‑controller.

1.5. “Data processor (authorized person)” means a person processing personal data on behalf of the Controller and within its instructions.

1.6. AIBACK is:

• a Personal Data Controller with respect to data of Website Visitors, registered Users and Partners, as well as persons who contact us via communication channels specified on the Website;
• a Personal Data Processor with respect to data of end users of clients and Partners (buyers, authors of reviews, initiators of dialogues and requests, etc.) transmitted to AIBACK via marketplaces, CRM systems, API, iFrame, White‑Label and other channels. The Controller of such data is the relevant client or Partner.

1.7. “Cookies” are small pieces of data that a website stores in a user’s browser, allowing the browser to be recognized, preferences to be stored and the use of the website to be analyzed.

1.8. "Посетитель сайта" - любое физическое лицо, посещающее Сайт без регистрации и использующее его в режиме просмотра, как определено в Пользовательском соглашении (EULA). Обработка данных Посетителей осуществляется в объёме, указанном в разделе 3.1 настоящей Политики.

2.1. This Privacy and Cookies Policy (hereinafter the “Policy”) describes how AIBACK (hereinafter the “Company”, “we”) collects, receives, stores, uses, transfers and otherwise processes personal data when:
a) visiting the AIBACK website and related web resources;
b) using the AIBACK SaaS platform and its IT functionality (API/iFrame/White‑Label, etc.) for processing reviews, dialogues and other customer communications;
c) interacting with us as a partner or client under agreements and public offers for the provision of IT services for access to the AIBACK software, its implementation and maintenance.

2.2. The Policy is developed in accordance with the legislation of the Republic of Uzbekistan, including the Law of the Republic of Uzbekistan “On Personal Data” taking into account the latest amendments introduced by Law No. ZRU‑1125 of 26.03.2026, as well as with due regard to general approaches of international and regional (Central Asia) data protection regulation.

2.3. If you are an AIBACK client or partner from another Central Asian country (Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan, etc.), in processing data we take into account the mandatory requirements of the laws of the relevant jurisdiction (for example, requirements for database registration, data localization or additional consent of data subjects) to the extent necessary for the lawful provision of services.

2.4. This Policy is an integral part of and applies together with the following documents published on the AIBACK Website:

• User Agreement (EULA);
• Public SaaS Offer of AIBACK (service provision),
• Public Partnership Offer.

In case of any inconsistencies between the documents, priority is given to an individual agreement / addendum, then to the relevant offer, and then to this Policy.

2.5. AIBACK выполняет требования законодательства Республики Узбекистан об уведомлении уполномоченного государственного органа в области персональных данных о намерении осуществлять обработку персональных данных, в случаях и порядке, предусмотренных Законом Республики Узбекистан "О персональных данных". Сведения о регистрации баз персональных данных, подлежащих обязательному включению в Государственный реестр, поддерживаются AIBACK в актуальном состоянии.

3.1. Data processed when visiting the Website and interacting with us as a controller:
a) identification data: name, position, name of organization, contact details (e‑mail, phone), country/city;
b) data for registering an account in the service: login, e‑mail address, password (in hashed form);
c) technical and log data: IP address, browser and device data, interface language, session information, Cookies, date and time of requests, URLs of transitions;
d) marketing data: information on newsletter subscriptions, responses to emails and campaigns, information about visiting pages.

3.2. Data processed when providing services to clients (as a processor):
a) data of clients’ end users (for example, authors of reviews about goods and services, buyers): nickname/name, review text, rating, order and product data, time of review publication and other information contained in the source (marketplace, online store, etc.);
b) service identifiers: client ID, seller/store ID, channel/marketplace ID, internal IDs of reviews and entities in the AIBACK system;
c) account data of employees of clients using the AIBACK interface: name, contact details, role/access rights, activity log data.

3.3. AIBACK does not initiate and does not control the content of review texts, dialogues and requests that end users send to our clients and Partners through marketplaces, online stores and other channels. Responsibility for lawful collection of such data and their compliance with legal requirements (including, where required, obtaining consents of data subjects) lies with the relevant Controllers (clients and Partners) who transmit data to AIBACK.

3.4. As a general rule, we do not request and do not specifically target the processing of biometric or genetic data, as well as data of telecom operator subscribers as a separate category, however such data may technically be included in the original information uploaded by a client. Special legal requirements on localization within the territory of the Republic of Uzbekistan and restriction of cross‑border transfer apply to such categories.

3.5. At the same time, we take reasonable measures to minimize the processing of special categories of data (for example, health data, biometric and genetic data) and information about children, including by means of filtering, model configuration and internal instructions to staff, but we cannot fully exclude such data from entering the system, given the free‑form nature of user reviews.

3.6. We do not carry out targeted processing of data of children under 16 as a separate target audience; if you are a parent/legal representative and believe that a child’s data has been processed without proper consent, please contact us using the contact details at the end of this document in Section 16.

4.1. We process personal data for the following purposes:
a) conclusion and performance of contracts, including public offers, provision of access to the service, support and billing;
b) provision of the SaaS platform functionality: receipt and normalization of reviews and events, classification according to the AIBACK taxonomy, preparation of responses, analytics and reporting for clients;
c) ensuring security, fraud prevention, debugging and monitoring the stability of the infrastructure;
d) communication with clients and partners (support, notifications, updates, marketing communications where the relevant consent is available, where required);
e) compliance with legal requirements (accounting, reporting, responses to requests from competent authorities).

4.2. The legal bases for processing are:
a) conclusion and performance of a contract to which the data subject is a party or in which the data subject acts as a representative/contact person;
b) performance of obligations imposed on us by law (for example, in the area of accounting and tax reporting);
c) законные интересы компании и наших клиентов - исключительно в следующих случаях: (i) обеспечение информационной безопасности инфраструктуры и защита от мошенничества; (ii) обезличенная аналитика использования сервиса в целях его улучшения; (iii) защита имущественных прав AIBACK от злоупотреблений; - при условии, что в каждом таком случае обработка не нарушает права и свободы субъектов персональных данных, а интерес AIBACK является соразмерным и необходимым;
d) consent of the data subject - in cases where this is expressly required by law (marketing communications, certain types of cookies and tracking, and other cases provided by the law of the relevant jurisdiction).

4.3. With regard to data of clients’ end users we act as a data processor and rely on the legal bases determined by the client‑controller (for example, public offer of the online store, user agreement of the marketplace, consents collected by the client).

5.1. When you visit the AIBACK Website, we use Cookies and similar technologies (pixels, local storage, SDK) in order to:
a) ensure the technical functioning and security of the Website;
b) remember your settings (interface language, login parameters);
c) analyze the use of the Website to improve its content and navigation;
d) subject to the relevant consent - display personalized content and marketing materials.

5.2. Cookies may be:

• strictly necessary (required for the functioning of the Website and services; disabling them is not possible as regards the basic operation of the Website);
• functional (remember your choices and settings);
• analytical/statistical (help us understand how the Website is used);
• marketing/advertising (used to show relevant advertising and measure its effectiveness).

5.3. On your first visit to the Website (and periodically thereafter) we may display a cookie banner/management interface allowing you to consent to all categories or configure your choices. The use of strictly necessary Cookies may take place without separate consent, as they are necessary for the provision of the online service you requested.

5.4. You can withdraw or change your Cookies preferences at any time using your browser settings or the cookie management interface on the Website. Please note that disabling certain types of Cookies may affect availability or correct operation of some parts of the Website.

5.5. При получении согласия субъекта персональных данных на обработку данных, требующую согласия, AIBACK обеспечивает, чтобы такое согласие содержало: наименование и ИНН AIBACK, идентификацию субъекта, перечень обрабатываемых данных, конкретные цели обработки, указание срока его действия, а также разъяснение порядка его отзыва. Форма согласия или соответствующий интерфейс доступны в личном кабинете и/или при первом посещении сайта.

6.1. We obtain personal data:
a) directly from you (when registering, filling in forms, contacting support, entering into agreements);
b) from our clients and partners acting as personal data controllers (for example, when marketplaces and online stores are connected to AIBACK);
c) from publicly available sources in accordance with the law (for example, public information about a client legal entity);
d) automatically when you use the Website or services (log files, technical data, Cookies).

6.2. We assume that client‑controllers provide us with data lawfully, in compliance with applicable laws and their obligations towards data subjects.

7.1. As part of service provision, we also process technical data such as API keys, access tokens, logins and service parameters of integrations with marketplaces, CRM systems, messengers and other channels through which reviews, dialogues and requests are exchanged.

7.2. Such data are used solely to ensure the operation of integrations, are protected by organizational and technical measures and are not transferred to third parties outside the purposes of service provision, except in cases directly provided for by law or contract.

8.1. The AIBACK infrastructure may include servers and services located both within and outside the territory of the Republic of Uzbekistan. When carrying out cross‑border transfers of personal data, we comply with the requirements of the Law of the Republic of Uzbekistan “On Personal Data”, including restrictions on the transfer of certain categories of data (including biometric, genetic data and data of telecom services users) and requirements for storing such data within the territory of the Republic of Uzbekistan.

8.2. In accordance with amendments to the Law of the Republic of Uzbekistan “On Personal Data”, certain categories of data are subject to mandatory storage and processing within the territory of the Republic of Uzbekistan (in particular, biometric and genetic data, as well as data of telecom services users). We arrange for such data to be stored on servers located within the territory of the Republic of Uzbekistan and restrict their cross‑border transfer unless otherwise permitted by law. В стандартном режиме работы сервиса AIBACK не запрашивает и не хранит биометрические данные или данные в формате, позволяющем их идентификацию как генетических. Если в ходе работы с клиентом такие данные могут оказаться в системе, AIBACK незамедлительно уведомляет клиента-оператора и согласовывает порядок их хранения на территории Республики Узбекистан.

8.3. Where AIBACK information systems process personal data relating to categories subject to mandatory storage within the territory of the Republic of Uzbekistan (including biometric data, genetic data and data of telecom services users), such personal data databases are subject to registration in the State Register of Personal Data Databases in accordance with the procedure established by the legislation of the Republic of Uzbekistan. AIBACK ensures maintenance and updating of information on such databases and their registration.

8.4. Cross‑border transfer and storage of personal data on servers outside the Republic of Uzbekistan are carried out only if one or more of the following conditions are met:
a) the foreign state is officially recognized as providing an adequate level of personal data protection in the manner established by the competent authority of the Republic of Uzbekistan;
b) the controller and/or processor applies standard contractual clauses and/or binding corporate rules that meet the requirements approved by the competent authority;
c) the controller and/or processor complies with international standards in the field of personal data management and storage, the list of which is approved by the competent authority.

8.5. For clients and data subjects from other Central Asian countries, we also take into account local requirements for cross‑border transfer and localization (for example, regulatory specifics in Kazakhstan), organizing processing through respective regional segments and/or contractual mechanisms (SCC, BCR, etc.).

9.1. AIBACK uses artificial intelligence and machine learning technologies to analyze reviews, perform clustering, generate draft responses and analytical reports.

9.2. Such technologies are used to automate the processing of information and are not used for making legally significant decisions affecting the rights and freedoms of individuals solely based on automated processing without human involvement.

9.3. The results of AI models are of a recommendatory nature and are subject to review and control by clients, Partners and/or authorized staff.

10.1. To ensure the operation of the services, we may engage third parties - providers of cloud infrastructure, monitoring tools, AI platforms and other technological services (sub‑processors).

10.2. Such parties process personal data on the basis of agreements with AIBACK and solely for the purpose of providing services to us, while complying with confidentiality and security requirements provided by law and this Policy.

10.3. We may disclose personal data to third parties in the following cases:
a) to providers of cloud infrastructure, CDN, monitoring and logging tools, backup systems and other IT services that help us provide and support the platform (such parties act as processors and are bound by contractual obligations on data protection);
b) to partners and resellers involved in promoting and implementing AIBACK - to the extent necessary for joint projects and where the relevant legal basis exists;
c) to state authorities and other persons where such disclosure is required by law, court order or lawful request of a competent authority;
d) to successors in case of restructuring, merger, sale of business or other transformation, subject to compliance with personal data protection requirements.

10.4. We do not sell personal data to third parties in the strict sense of “sale of data”; data may be transferred as part of partnership and affiliate relationships on a contractual basis and within the limits allowed by law.

10.5. An up‑to‑date list of key categories of such providers and, where necessary, specific companies may be provided upon request or published in a separate section of the Website.

11.1. We store personal data no longer than necessary for the purposes for which they are processed, unless a longer retention period is provided for by law or contract.

11.2. Typical retention periods:
a) данные учётных записей, договорная документация и данные об оплате - в течение срока действия договора и не менее 5 (пяти) лет после его прекращения - для целей бухгалтерского и налогового учёта в соответствии с требованиями законодательства Республики Узбекистан;
b) log and technical analytics data - from several days to several months, depending on the purposes (security, debugging);
c) data processed on the basis of consent (marketing communications) - until consent is withdrawn or the purposes of processing are achieved.

11.3. Upon expiry of retention periods, data are deleted or anonymized in such a way that identification of the data subject becomes impossible.

12.1. Data subjects, in accordance with the legislation of the Republic of Uzbekistan and other applicable jurisdictions, have the right to:
a) obtain information about the fact, purposes, legal bases and methods of processing of their personal data;
b) request that their personal data be clarified (updated, modified);
c) request blocking or destruction of personal data if they are processed unlawfully or have become outdated;
d) withdraw previously given consent to processing (in cases where processing is based on consent);
e) object to processing based on legitimate interests if such processing affects their rights and freedoms;
f) appeal actions or omissions of the controller and/or processor to the competent personal data protection authority and/or to a court.

12.2. To exercise your rights, you may send a written request using the contact details provided at the end of this document in Section 16. We may request additional information necessary to verify your identity and will respond within the time limits established by applicable law.

12.3. If we process your data as a processor on behalf of a client‑controller, we will inform you of this and, where necessary, forward your request to the relevant controller or suggest that you contact the controller directly, since the controller determines the purposes of processing and can fully handle your request.

13.1. We implement organizational and technical measures aimed at protecting personal data against unlawful or accidental access, destruction, modification, blocking, copying, disclosure, dissemination and other unlawful actions.

13.2. Such measures include:
a) use of modern encryption for data transmission and, where appropriate, for data storage;
b) infrastructure segmentation and access restrictions to data based on roles;
c) event logging and monitoring of anomalous activity;
d) backup and disaster recovery plans;
e) contractual confidentiality obligations with employees and contractors.

13.3. Despite the measures taken, no method of data transmission over the Internet or of data storage can guarantee absolute security; however, we strive to maintain a level of protection that corresponds to industry best practices and legal requirements.

14.1. Our services are intended for use by business clients and their authorized employees; we do not target direct interaction with children.

14.2. If we become aware that we have received personal data of a child without proper consent of a legal representative, we will take steps to delete such data or to bring processing in line with the law.

15.1. We may periodically update this Policy to reflect changes in legislation, technologies and business processes. When making material changes, we publish the updated version on the Website indicating the date of update and, where necessary, may send notifications (for example, by e‑mail or via the service interface).

15.2. Continued use of the Website and services after the changes come into force constitutes acceptance of the updated version of the Policy, except where separate consent is required by law.

15.3. Настоящая Политика публикуется на русском, узбекском и английском языках. В случае расхождений между языковыми версиями приоритет имеет русскоязычная версия, если иное прямо не указано Компанией.

16.1. AIBACK is responsible for the processing of personal data under this Policy:

“AIBACK” LLC

TIN: 313 029 699

UZBEKISTAN, TASHKENT, SHAYKHANTAKHUR DISTRICT, LABZAK MFY, LABZAK KO'CHASI, 64A‑UY

16.2. The primary applicable law is the law of the Republic of Uzbekistan, unless otherwise provided by mandatory norms of the law of the data subject’s or client’s country or by individual agreements.

16.3. Questions related to the application of this Policy may be sent to the following e‑mail address: support@aiback.uz with the note “Personal data”.

16.4. Для вопросов, связанных с защитой персональных данных, AIBACK назначает ответственного за обработку персональных данных. Контактные данные ответственного лица: privacy@aiback.uz . Срок рассмотрения запросов субъектов персональных данных - не позднее 10 рабочих дней с даты получения обращения, если иное не предусмотрено законодательством.

№ версии | Действует с даты:

1. 2026.04.27
2. 2026.06.11 (актуальная версия)