QONX.AI · SEVEN LUCKS LLP · БИН 170940030760
Privacy Policy & Personal Data Protection
Effective date: June 16, 2026Published at: https://qonx.ai/privacy
This Privacy Policy and Personal Data Protection Policy (the "Policy") is an official document of SEVEN LUCKS LLP (BIN 170940030760), hereinafter referred to as the "Contractor," and governs the collection, processing, systematization, storage, and protection of personal data and other information of individuals and legal entities (hereinafter "User") using the analytical platform QONX.AI, operated exclusively as a SaaS web application (hereinafter the "Platform").
By registering on the Platform and checking the "I accept the Terms of Service and Privacy Policy" checkbox, the User gives their full, unconditional, and informed consent to the collection and processing of their personal data under the conditions set out in this Policy.
1. Legal Basis
1.1This Policy was developed in accordance with the Constitution of the Republic of Kazakhstan, the Law of the Republic of Kazakhstan No. 94-V dated May 21, 2013 "On Personal Data and Their Protection," and other regulatory acts of the Republic of Kazakhstan in the field of data protection.
1.2For Users who are residents of foreign countries, the Contractor ensures compliance with international standards, including the General Data Protection Regulation (GDPR) (EU 2016/679), UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (UAE PDPL), UK GDPR, and the Swiss Federal Act on Data Protection (nDSG).
2. Data We Collect and Process
The Contractor collects the following categories of information:
2.1Information provided by the User upon registration and use of the Platform:
- •Email address;
- •Username;
- •Authentication data via external services Google or GitHub (when using the corresponding sign-in method);
- •Additional information that the registration form may request from the User to fulfill the Contractor's obligations. Processing of data of persons under 16 (sixteen) years of age without the consent of legal representatives is not permitted on the Platform.
2.2Biometric data: In cases provided for by the Platform's functionality, biometric data processing is carried out exclusively on the basis of the User's separate, explicit, and voluntary consent in accordance with GDPR Art. 9 and applicable national law. Refusal to provide biometric data does not restrict the User's access to the Platform's core functionality.
2.3Payment data: When processing payments through the Paddle international payment system (Merchant of Record), the Contractor does not collect or store full bank card details. This data is transmitted in encrypted form directly to certified payment providers in accordance with PCI-DSS standards. The Contractor only receives the technical transaction status, masked card data, and subscription identifiers for accounting purposes.
2.4Technical, analytical data and request history (collected automatically):
- •IP address, cookies, unique device identifiers (UUID), operating system type and browser type;
- •User activity logs on the Platform, date and time of access, technical parameters of exported PDF reports;
- •History of requests and conversations sent to the built-in AI agent. Cookies on the website are collected based on the User's consent via an interactive banner on first visit.
3. Purposes of Data Collection and Processing
The Contractor collects and processes data exclusively for the following purposes:
3.1Identification of the User in the Information System and provision of access to the Personal Account of the web application.
3.2Ensuring the correct functioning of the Platform's algorithms, processing the User's text requests to the AI agent (LLM) and generating analytical reports.
3.3Communication with the User (technical support, sending important notifications about Pricing Plan changes, scheduled maintenance).
3.4Processing payments, administering subscriptions through Paddle, issuing invoices for legal entities.
3.5Protecting the information security of the Platform: analyzing logs to prevent hacking attacks, fraud, unauthorized mass database downloading (scraping), reverse engineering of AI models, and other violations (including use of VPN to circumvent geo-restrictions, chargeback fraud, multi-accounting, and account sharing).
3.6Conducting anonymized statistical and marketing research based on Big Data, improving service quality, and internal AI model training in fully aggregated form.
3.7Marketing communications: Advertising and marketing mailings are only sent if the User activates a separate optional checkbox during registration. This consent can be revoked at any time through the Personal Account settings or by sending a request to sevenlucks05@gmail.com 4. Data Processing Principles
4.1Personal data is processed on the basis of the principles of legality, confidentiality, purpose limitation, data minimization, and security.
4.2Data processing may be carried out both by automated and non-automated means.
4.3Personal data is stored in a form that allows identification of the User no longer than required by the purposes of processing, or until the User withdraws consent (unless a longer storage period is required by Kazakhstan law or applicable international mandatory law).
5. Transfer of Data to Third Parties
Users' personal data is strictly confidential. The Contractor may transfer data to third parties exclusively in the following limited cases:
5.1Transfer of data to specialized contractors and infrastructure services (including the Paddle international payment system and hosting providers) exclusively to the extent necessary to process transactions, administer subscriptions, and ensure the Platform's operation.
Data Recipients
| Service | What is transferred | Purpose |
|---|
| Clerk (clerk.com) | Email, authentication sessions | Authorization and account management |
| Google Gemini API | User query text | AI request processing |
| Paddle (paddle.com) | Email, transaction amount, status | Payment and subscription processing |
| Trade data provider | Search parameters | Retrieval of customs data |
| Hosting provider (USA) | All platform data | Infrastructure and storage |
5.2The Contractor has the right to disclose technical logs, IP addresses, and User registration data to cybersecurity services, IT auditors, or rights holders if the Platform detects suspicious or prohibited User activity (automated scraping, use of botnets, attempts to hack algorithms, or unauthorized data downloading) for the purpose of protecting the intellectual property of SEVEN LUCKS LLP.
5.3Transfer of data to government and law enforcement authorities (including courts and national security agencies) is carried out strictly in accordance with the legislation of the Republic of Kazakhstan or applicable international law on the basis of official substantiated requests.
6. Data Protection and Security Measures
6.1The Contractor takes necessary and sufficient legal, organizational, and technical measures to protect the User's personal data from unlawful or accidental access, destruction, modification, blocking, copying, dissemination, and other unlawful actions by third parties.
6.2Data protection is ensured through the use of modern encryption protocols (SSL/TLS), restricting physical and software access to database servers, and regular internal security vulnerability audits. In the event of a cross-border data breach or security violation, the Contractor undertakes to immediately notify supervisory authorities and Users in accordance with PDPL UAE Art. 12, GDPR, and Kazakhstan laws.
7. User Rights
In accordance with the Law of the Republic of Kazakhstan "On Personal Data and Their Protection," the GDPR, and the UAE PDPL, the User has the right to:
7.1Know about the existence of their personal data with the Contractor and receive information about what data, by what methods, and on what grounds it is being processed.
7.2Request the modification, addition, correction, or clarification of their data in the event of inaccuracy, incompleteness, or imprecision.
7.3Withdraw their consent to the collection and processing of personal data and request its complete deletion (the "right to be forgotten") by sending an official request to: sevenlucks05@gmail.com The User also has the right to independently delete individual conversations or the entire conversation history with the AI agent directly through the Personal Account interface. 7.4Legal restriction and exceptions: Withdrawal of the User's consent automatically entails immediate deletion of their account and the inability to continue using the QONX.AI Platform. Previously made payments for current subscription periods are non-refundable, except in cases expressly provided for in the User Agreement (including unconditional refund within the 14-day "Cooling-Off Period" for EU-resident Consumers with no requests made). 8. Changes to This Policy
8.1The Contractor has the right to unilaterally modify or supplement the terms of this Policy at any time. Users are notified of changes that materially affect their rights and data processing procedures at least 14 days before the changes take effect, by publishing a notice on the Platform or sending a notification by email.
8.2The new version of the Policy takes effect from the moment of its publication on the Platform, unless otherwise specified. Continued use of the Platform after publication of the changes constitutes the User's agreement to the updated terms.
9. Dispute Resolution and Applicable Law
9.1The current legislation of the Republic of Kazakhstan applies to the relations between the Parties under this Policy. If the applicable mandatory legislation of the User's country of residence (including EU or UAE consumer protection laws) grants the User additional inalienable rights, such provisions apply in parallel.
9.2All disputes arising from this Policy are subject to mandatory pre-trial dispute resolution. The response period for a written claim is 15 (fifteen) business days from receipt at: sevenlucks05@gmail.com 9.3Jurisdiction for KZ and CIS residents: If the dispute cannot be resolved through the claims procedure, it shall be submitted to a state court at the Contractor's location (Astana, Republic of Kazakhstan).
9.4Jurisdiction for B2B clients from non-CIS countries (EU, USA, UAE): All disputes shall be finally resolved by the International Arbitration Centre (IAC) at the Astana International Financial Centre (AIFC). Venue — Astana, Kazakhstan. Language — Russian. Number of arbitrators — 1 (one).
9.5Special conditions for EU, UK, and UAE Consumers: The arbitration clause (Section 9.4) does not apply to consumer disputes with individuals. Consumer users retain the right to:
- •Apply to courts at their official place of residence;
- •Use the European Online Dispute Resolution platform: ec.europa.eu/consumers/odr;
- •File complaints with national consumer protection authorities or the UAE Ministry of Economy (Consumer Protection Department);
- •Claim compensation for actual damages under GDPR Art. 82 in case of the Contractor's breach of data protection obligations.
10. Data Storage Location
10.1Users' personal data and their request history are physically stored on secured servers located in the United States of America (USA). The name of the specific cloud or hosting provider is not disclosed by the Contractor for purposes of maintaining trade secrets and protecting information security infrastructure.
10.2Users who are residents of the European Union (EU) / European Economic Area (EEA) acknowledge and agree that cross-border transfer of their data to the USA is carried out on the basis of applicable lawful mechanisms, including Standard Contractual Clauses (SCC) approved by the European Commission.
11. Contractor's Legal Details
| Contractor | SEVEN LUCKS LLP |
| BIN | 170940030760 |
| Legal address | 010000, Republic of Kazakhstan, Astana, Yesil District, E 669 St., 13, office 30 |
| IIK (bank account) | KZ06601A321000381611 |
| BIK (bank code) | HSBKKZKX |
| Bank | Halyk Bank of Kazakhstan JSC |
| Director | Yandiyev Zelimkhan Isayevich |
Official Contact Channels (Email)