Last updated: March 8, 2026
1.1. This Privacy Policy (hereinafter referred to as the "Policy") defines the procedures for collecting, processing, storing, and protecting personal data of users of the VenueCall platform (hereinafter referred to as the "Platform").
1.2. The data controller is IE Abdrakhmanov, IIN 990331300094, Almaty, Republic of Kazakhstan (hereinafter referred to as the "Controller").
1.3. This Policy has been developed in accordance with the Law of the Republic of Kazakhstan "On Personal Data and Their Protection" dated May 21, 2013 No. 94-V (hereinafter referred to as the "Law").
1.4. By registering on or using the Platform, the user agrees to the terms of this Policy. If the user does not agree with the terms, they must discontinue use of the Platform.
1.5. The Platform is accessible at https://venuecall.app.
| Personal Data | Any information relating to an identified or identifiable natural person (data subject) |
| Data Subject | A natural person whose personal data is being processed |
| Controller | The entity that determines the purposes and means of processing personal data — IE Abdrakhmanov |
| Processing | Any operation performed on personal data, including collection, recording, organization, storage, modification, use, distribution, depersonalization, blocking, and destruction |
| Venue Owner | An entity that has registered a venue (restaurant, bar, cafe) on the Platform |
| Staff Member | An employee added to the Platform by a Venue Owner |
| Guest | An individual who uses the Platform's guest interface via QR code or directly |
| Cookies | Small text files stored on a user's device |
3.1. Venue Owner Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Registration, authentication, notifications | Contract performance |
| Full name | Account identification | Contract performance |
| Password (bcrypt hash) | Authentication | Contract performance |
| Venue name and address | Service delivery, guest-facing information | Contract performance |
| Logo (image) | Venue interface customization | Consent |
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Registration, authentication | Contract performance |
| Full name | Account identification | Contract performance |
| Role (position) | Access control | Contract performance |
| Data | Purpose | Legal Basis |
|---|---|---|
| Phone number | OTP authentication via WhatsApp | Consent |
| Name | Order and reservation identification | Consent |
| Order history | Service delivery, analytics | Contract performance |
| Loyalty program data | Bonus and discount tracking | Consent |
| Chat messages | Communication with venue | Consent |
| Data | Purpose | Legal Basis |
|---|---|---|
| IP address | Error monitoring (Sentry) | Legitimate interest |
| User Agent | Error monitoring (Sentry) | Legitimate interest |
| Anonymous events | Product analytics (Amplitude) | Legitimate interest |
4.1. Direct collection — the user provides data voluntarily during registration or while using the Platform.
4.2. Automatic collection — technical data (IP address, User Agent, cookies) is collected automatically during interaction with the Platform.
4.3. Third-party collection — phone number verification is performed via WhatsApp during OTP authentication.
5.1. Personal data is processed electronically and stored on secure servers.
5.2. Database: PostgreSQL hosted on Fly.io (Netherlands, European Union).
5.3. Passwords are hashed using the bcrypt algorithm and cannot be recovered in plaintext.
5.4. Authentication is performed via JSON Web Tokens (JWT) with a validity period of 7 (seven) days.
5.5. All data transmission is encrypted via HTTPS (TLS 1.2+).
5.6. Data retention periods:
The Controller shares personal data with the following third parties solely for the purposes indicated:
| Third Party | Data Shared | Purpose | Jurisdiction |
|---|---|---|---|
| TipTopPayments | Transaction identifier (card data is NOT shared) | Payment processing | Kazakhstan |
| WhatsApp (Meta Platforms) | Phone number | OTP delivery, messaging | USA |
| Amplitude | Anonymous event data | Product analytics | USA |
| Sentry | IP address, User Agent, stack trace | Error monitoring | USA |
| Resend | Email address | Email notifications | USA |
| Telegram (Telegram FZ-LLC) | Telegram user identifier | Bot notifications | UAE |
| Fly.io | All server-side data | Hosting infrastructure | Netherlands (EU) |
| Upstash, Inc. | Token blocklist, session cache | Data caching and token blocklist (Redis) | EU |
The Platform uses the following cookies:
| Cookie | Type | Purpose | Expiration |
|---|---|---|---|
| venue-token | Essential (httpOnly, Secure) | JWT authentication token | 7 days |
| venue-lang | Essential | Interface language preference (kz/ru/en) | 1 year |
In accordance with Article 15 of the Law, data subjects have the following rights:
8.1. Right of access — to obtain information about their personal data and the conditions of its processing.
8.2. Right to rectification — to request correction or supplementation of their personal data.
8.3. Right to erasure — to request deletion of their personal data (except where retention is required by law).
8.4. Right to withdraw consent — to withdraw consent to data processing at any time.
8.5. Right to data portability — to receive their data in a structured, machine-readable format.
8.6. To exercise these rights, please contact support@venuecall.app. Requests will be processed within 15 (fifteen) business days.
8.7. Users may submit an account deletion request through the Platform's "Settings" section or via email.
The Controller implements the following measures to protect personal data:
9.1. Organizational measures:
10.1. The primary database is located in the Netherlands (European Union) on the Fly.io platform.
10.2. Certain third-party services (Amplitude, Sentry, Resend, WhatsApp) may process data in the United States.
10.3. Cross-border data transfers are conducted in accordance with Article 16 of the Law, ensuring an adequate level of personal data protection in the recipient countries.
10.4. By registering on the Platform, the user consents to cross-border data transfers as described in this Policy.
11.1. The Controller reserves the right to modify this Policy at any time at its sole discretion.
11.2. The updated version of the Policy shall take effect upon publication on the Platform.
11.3. Users will be notified of material changes via email or an in-Platform notification.
11.4. Continued use of the Platform following publication of changes constitutes acceptance of the updated Policy.
Controller: IE Abdrakhmanov
IIN: 990331300094
Address: Almaty, Republic of Kazakhstan
Email: support@venuecall.app
Website: https://venuecall.app
Complaints regarding personal data processing may be sent to support@venuecall.app. Complaints will be reviewed within 15 (fifteen) business days.
If you believe your rights have been violated, you may file a complaint with the Committee on Information Security of the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan (https://www.gov.kz).