Privacy and Personal Data Processing Policy

1. General provisions

1.1. This Privacy Policy (the “Policy”) sets out the procedure for processing and protecting the personal data of natural persons (the “Subjects”), carried out by IP «Daily Rent», BIN 970117351696, registered address: Republic of Kazakhstan, Astana, 62 Kenesary Street (the “Operator”).

1.2. The Policy has been developed in accordance with the Law of the Republic of Kazakhstan of 21 May 2013 No. 94-V «On Personal Data and Their Protection» (the “PDP Law”), the Constitution of the Republic of Kazakhstan and other regulatory legal acts of the Republic of Kazakhstan.

1.3. Capitalised terms have the meanings set out in Article 1 of the PDP Law (including the definition of “personal data” as amended by the Law of the Republic of Kazakhstan of 17 November 2025 No. 231-VIII), unless otherwise defined in this Policy.

1.4. The term “Personal Data Subject” includes the “Guest” within the meaning of the Public Offer, as well as any other natural persons whose personal data is processed by the Operator (for example, prospective Guests who did not complete a booking, contact persons for group bookings, payers who are not the Guest).

1.5. By accepting the terms of the Public Offer and making a booking, the Subject confirms their consent to the processing of personal data in the manner and on the terms of this Policy.

2. Categories of personal data processed

2.1. The Operator processes the following categories of personal data:

2.1.1. Identification data:

• surname, name, patronymic (if any);
• date of birth;
• citizenship;
• passport / identity document data (series, number, date of issue, issuing authority) — collected only on check-in in accordance with the legislation of the Republic of Kazakhstan on migration registration.

2.1.2. Contact data:

• mobile phone number;
• email address;
• messenger identifier (WhatsApp).

2.1.3. Payment data:

• transaction amount, date, payment identifier.
• Bank card details for paying for the booking are not collected by the Operator — they are entered by the Subject directly on the secure page of the Halyk ePay or Kaspi Pay payment gateway (see section 9). The Operator may collect and temporarily store the Guest’s bank card number, IBAN account number, or mobile phone number solely for the purpose of refunding the security deposit, refunding the cost of a cancelled booking, or refunding an erroneous payment in the manner provided by the Refund and Cancellation Terms and the Payment Rules; such details are stored no longer than necessary for the relevant refund.

2.1.4. Technical data on use of the Website:

• IP address;
• browser type and version, operating system;
• cookie files (see section 8).

2.1.5. Access-control system data (where present at the Property):

• date and time of door opening, booking identifier;
• event logs are used solely for access control and Property security within the meaning of Article 11 of the Law of the Republic of Kazakhstan «On the Protection of Consumer Rights»;
• the retention period for event logs is no more than 90 (ninety) days from the Guest’s check-out date, after which the data is anonymised or destroyed.

2.2. Accompanied minors. When accommodating minors, the Operator processes their personal data only to the extent necessary for migration registration, identification and ensuring the safety of the stay (surname, name and patronymic, if any, date of birth, citizenship, passport data if any). Consent to the processing of a minor’s personal data is confirmed by their legal representative or by an accompanying adult acting on a lawful basis, in the manner provided by the legislation of the Republic of Kazakhstan and Articles 22-1 and 23 of the Civil Code of the Republic of Kazakhstan.

2.3. Video and audio surveillance — none. The Operator’s Properties are not equipped with surveillance cameras, microphones, voice assistants or other devices for automated collection of audio or video data. The category of data collected by access-control systems (smart locks), retention periods and the procedure for protecting such data are set out in section 2.1.5 of this Policy.

3. Purposes of personal data processing

3.1. The Operator processes personal data for the following purposes:

• performance of the contract for short-term rental services (booking, check-in, check-out and settlement of payment for Services);
• communication with the Subject on matters of booking, stay and feedback;
• performance of obligations to the state authorities of the Republic of Kazakhstan, including tax reporting to the State Revenue Committee of the Ministry of Finance of the Republic of Kazakhstan;
• ensuring the safety of the Properties and the Operator’s property, including verification of the Subject’s identity on check-in;
• resolution of disputes and complaints related to the provision of services;
• improving the quality of the Services based on anonymised feedback.

3.2. The Operator does not use personal data for marketing purposes, profiling, third-party advertising or transfer to advertising networks.

4. Legal grounds for processing

4.1. Personal data is processed on the following legal grounds established by the PDP Law:

• the Subject’s consent, expressed by accepting the Public Offer and providing the data at the time of booking (Articles 7–8 of the PDP Law); such consent extends to the collection and processing of personal data to the extent necessary for performance of the short-term rental services contract;
• processing without consent in cases expressly provided by the PDP Law — to the extent the Operator performs obligations established by the legislation of the Republic of Kazakhstan (including tax and customs accounting, migration registration of foreign nationals, accounting reporting) — on the grounds listed in the relevant subparagraphs of Article 9 of the PDP Law;
• protection of legitimate rights and interests of the Operator and third parties (fraud prevention, security of property and the Properties) — within the limits permitted by the legislation of the Republic of Kazakhstan.

5. Transfer of personal data to third parties and cross-border transfer

5.1. Recipients of data in the Republic of Kazakhstan

The Operator transfers personal data to the following recipients in Kazakhstan strictly to the extent necessary for performance of the contract and compliance with legal requirements:

5.2. Booking Channels with foreign jurisdiction — status as independent operators

Booking.com Holdings B.V. (Kingdom of the Netherlands), Airbnb Ireland UC (Ireland) and Sutochno.ru LLC (Russian Federation) are independent personal data operators within the meaning of the PDP Law. These platforms:

• collect the Guest’s personal data on their own platforms when the booking is made, and process it in accordance with their own privacy policies, to which the Subject agrees before and independently of any interaction with the Operator;
• transfer to the Operator the minimum necessary booking data (name, contact details, stay dates, chosen Property) for performance of the services contract;
• the Operator does not initiate an independent cross-border transfer of personal data to these platforms — the exchange of booking information takes place within the platform’s own infrastructure and is governed by its rules and by the Subject’s consent expressed on that platform.

5.3. Cross-border transfer in performance of the contract

The Channels in question are independent personal data operators with respect to the data they collect from the Guest through their own platforms.

For certain outgoing messages, documents and booking statuses, the Operator sends to the Guest or the Channel — through the messaging system or personal account of the relevant platform — the following: replies to Guest enquiries, confirmations and invoices, and booking status updates. To that extent, the Operator is the person carrying out the transfer of personal data to the relevant Channel to the minimum extent required for performance of the booking, dispute resolution or compliance with the Channel’s requirements.

Such operations are limited to the minimum scope of personal data required for the specific communication in performance of the services contract, and are based on a combination of the following grounds provided by the PDP Law: (i) the Subject’s consent, expressed when making the booking through the relevant Booking Channel and extending to cross-border transfer of personal data to the relevant platform (Articles 7–8 of the PDP Law); (ii) performance of the services contract to which the Subject is a party — for the Operator’s responsive communications and exchange with the Channel necessary to process the booking; (iii) the provisions of Article 16 of the PDP Law on cross-border personal data transfer. If the foreign state where the relevant Booking Channel is located does not ensure personal data protection within the meaning of Article 16 of the PDP Law, transfer is carried out subject to the Subject’s consent to cross-border transfer.

Before concluding a contract through a foreign Channel, the Guest is informed by the platform of the data-storage jurisdiction and of the personal data processing terms of the relevant operator.

5.4. Use of WhatsApp messenger

For prompt communication with the Guest (section 5.1 of the Public Offer), the Operator uses the WhatsApp messenger, operated by WhatsApp LLC / Meta Platforms, Inc. (registered office: United States of America; European representation — Meta Platforms Ireland Limited, Ireland). Use of WhatsApp for communication with the Guest involves processing the Guest’s contact data (phone number, profile name, message contents) on that operator’s infrastructure. A Guest who initiates communication via WhatsApp thereby confirms their consent to the use of this communication channel; alternative channels (email, SMS, messages in the personal account on the relevant Booking Channel) are available at the Guest’s choice.

5.5. Prohibitions

The Operator does not sell, rent out, or transfer personal data to third parties for commercial or marketing purposes.

6. Retention periods of personal data

6.1. The Operator retains personal data for periods necessary to achieve the processing purposes and to comply with legal requirements:

• booking and payment data — for 5 (five) years from the date of stay completion (the statutory retention period for tax and accounting records under the legislation of the Republic of Kazakhstan);
• passport data — for the period set by the legislation of the Republic of Kazakhstan on migration registration, after which it is destroyed;
• cookie files — in accordance with the Subject’s browser settings (see section 8).

6.2. On expiry of retention periods, personal data is destroyed or anonymised.

7. Rights of the personal data subject

7.1. Under Articles 24–25 of the PDP Law, the Subject has the right to:

• receive information about the processing of their personal data (scope, purposes, sources and methods);
• demand correction of personal data in case of inaccuracy or incompleteness;
• demand destruction of personal data on the grounds provided by law;
• withdraw consent to processing of personal data at any time;
• appeal against actions of the Operator to the authorised body for personal data protection — the Committee for Information Security of the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan (KIB MCRIAP RK) — or to court.

7.2. To exercise their rights, the Subject sends a written request to the Operator’s email address hello@dailyrent.kz. The Operator is required to consider the request and provide a response within no more than 15 (fifteen) calendar days under paragraph 3 of Article 25 of the PDP Law (as amended by the Law of the Republic of Kazakhstan of 17 November 2025 No. 231-VIII).

7.3. Withdrawal of consent to the processing of personal data necessary for performance of the contract (booking, check-in, payment) means that further provision of Services becomes impossible and may be grounds for termination of the contract.

7.4. Cessation of processing after withdrawal of consent. On withdrawal of the Subject’s consent, the Operator ceases processing of the relevant personal data within 15 (fifteen) calendar days under Article 8 of the PDP Law (as amended by the Law of the Republic of Kazakhstan of 17 November 2025 No. 231-VIII), except where further storage or processing is expressly required by the legislation of the Republic of Kazakhstan (in particular, tax, accounting and migration law), or the Operator sends the Subject a reasoned refusal to cease processing within the said period.

8. Use of cookies and technical data

8.1. The Website dailyrent.kz uses technically necessary (functional) cookies for correct operation:

• saving language settings;
• session authorisation in protected sections;
• prevention of CSRF attacks.

8.2. The Website does not use:

• analytics cookies (Google Analytics, Yandex.Metrica and similar);
• marketing and advertising cookies;
• social-media trackers.

8.2-bis. The Website may use security cookies from the infrastructure provider Cloudflare, Inc. (__cf_bm, cf_clearance, _cfuvid), used for protection against automated attacks and spam. These cookies are technical and are not used for tracking, profiling or advertising. Provider’s policy: cloudflare.com/privacypolicy.

8.3. The Subject may disable cookies in their browser settings. Disabling technically necessary cookies may result in incorrect operation of certain Website functions.

9. Measures to protect personal data

9.1. The Operator takes the following measures to protect personal data from unauthorised access, alteration, disclosure or destruction:

• placement of personal data databases on the territory of the Republic of Kazakhstan in accordance with paragraph 4 of Article 12 of the Law of the Republic of Kazakhstan of 21 May 2013 No. 94-V «On Personal Data and Their Protection» (hosting — a KZ-resident VPS physically located in a data centre in Astana);
• transfer of data via the secure HTTPS/TLS protocol (encryption of the communication channel);
• access restriction — data are accessible to the Operator and to specialists engaged as needed who have signed a confidentiality undertaking; the list of persons with access is approved by the Operator’s internal order and updated when the composition changes;
• physical protection of locations where paper records are stored (passport copies collected at check-in are kept in locked premises of the Operator);
• regular deletion of data on expiry of retention periods;
• payment processing through certified gateways (Halyk ePay — JSC «Halyk Bank of Kazakhstan»), compliant with the PCI DSS standard: bank card details are processed solely by the acquirer and are not transferred to the Operator.

9.2. In the event of detection of a leak, unauthorised access or other compromising event affecting personal data, the Operator notifies:

• the authorised body (KIB MCRIAP RK) — in the manner and within the deadline established by the current law of the Republic of Kazakhstan on personal data (Law of the Republic of Kazakhstan of 21 May 2013 No. 94-V «On Personal Data and Their Protection», as amended in 2024) and orders of the authorised body, from the moment of detection;
• affected Subjects — as soon as reasonably possible from the moment of detection, using the email addresses and contacts provided on booking, indicating the nature of the incident, categories of data affected, protective measures being taken, and contacts for enquiries.

If these deadlines cannot be met for objective reasons (an ongoing investigation, instructions from law enforcement authorities), the Operator notifies with justification of the delay.

10. Interaction with the authorised body

10.1. The authorised body for personal data protection in the Republic of Kazakhstan is the Committee for Information Security of the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan (KIB MCRIAP RK). Supervision of compliance with personal data law, consideration of subjects’ complaints, and application of state regulatory measures are carried out by that body.

10.2. Person responsible for personal data protection at IP «Daily Rent»: Vladislav Valerievich Novik. Contact for Subjects’ requests: hello@dailyrent.kz. The procedure and deadlines for notifying the KIB MCRIAP RK of personal data security incidents are set out in section 9.2 of this Policy.

11. Operator contacts

For all matters relating to the processing of personal data, please contact the Operator using the following details:

• Operator: IP «Daily Rent», BIN 970117351696
• Address: Republic of Kazakhstan, Astana, 62 Kenesary Street
• Phone / WhatsApp: +7 (776) 131-17-17 and +7 (775) 807-44-51 (both numbers also available on the WhatsApp messenger)
• Email: hello@dailyrent.kz
• Website: dailyrent.kz

Full details — on the Details page.

The legally binding version of this Policy is the Russian version. This English translation is provided for informational purposes only. In case of any discrepancy between this translation and the Russian original, the Russian original prevails.