Uvio Business Data Processing Terms

1. General Provisions

1.1. These Uvio Business Data Processing Terms explain when Uvio processes personal data on the company's behalf, when Uvio and the company act as independent controllers, and what obligations each party has when using the company dashboard, integration APIs, notifications, events, geozones, Sign In With Uvio, and related business scenarios.

1.2. These Terms apply together with the Uvio Business Terms of Service, the Uvio Business Privacy Policy, the Uvio Business Sign In With Uvio Rules, the Uvio Business Advertising Policy, and other relevant Uvio legal documents.

1.3. These Terms are intended to reflect generally accepted controller-processor practices, including GDPR-style allocation of responsibilities where that regime applies. They do not remove either party's obligation to comply with other mandatory laws, including laws on privacy, direct marketing, advertising, consumer protection, and information security.

2. Controller Information and Contacts

The personal data controller and the person providing services under the name "Uvio" is an individual entrepreneur Sultanbekov Artur Timerhanovich.

INN (Tax ID): 021101196690.

OGRNIP (Registration No.): 318028000111955.

Privacy inquiries: privacy@uvio.chat.

Legal inquiries: legal@uvio.chat.

3. Acceptance and Scope of Application

3.1. The company accepts these Terms by accepting the required Uvio business documents during registration, renewed confirmation of the current document set, access to the company dashboard, use of integration APIs, or use of another relevant Uvio business feature.

3.2. These Terms apply only to scenarios in which the use of Uvio involves personal data of natural persons, including data of company representatives, employees, contractors, customers, subscribers, or other persons where such data is uploaded to Uvio, transmitted through Uvio, or generated in connection with the company's instructions.

3.3. If a particular scenario requires a separate contract, separate consent, sector-specific regulation, or additional security conditions, the parties must handle those requirements separately and must not rely on these Terms alone as a substitute.

4. Roles of the Parties

4.1. The company acts as an independent controller to the extent that it determines the purposes of processing, categories of data, categories of data subjects, retention periods, or other essential elements of processing on its own side or in instructions it gives to Uvio.

4.2. Uvio acts as an independent controller for data it processes for its own purposes, including company account registration and administration, representative authority checks, access and security logging, infrastructure protection, key management, legal compliance, record-keeping for legal documents, dispute handling, abuse prevention, internal audit, and protection of Uvio's rights.

4.3. Uvio acts as a processor on the company's behalf only to the extent the company instructs Uvio to process personal data for the company's own purposes using Uvio functionality and the company determines the lawfulness and purpose of that processing.

4.4. In scenarios where Uvio and the company process data for their own separate purposes, each party acts as an independent controller for its own part of the processing unless law or a separate written agreement clearly provides otherwise.

5. Categories of Data That May Be Processed on the Company's Behalf

5.1. Depending on the functions used, the company may instruct Uvio to process the following categories of personal data:

• data of representatives, employees, and other team participants added to the company dashboard or company organization structure, including email address, first name, last name, role, department, phone number, access status, and internal notes;
• email addresses and other identifiers of users that the company expressly provides for individual delivery of notifications or similar addressed scenarios within available Uvio functionality;
• personal data that the company includes on its own initiative in notifications, events, materials, descriptions, metadata, links, attachments, or other content objects published through Uvio;
• data contained in support requests where those requests include information about particular individuals and require Uvio to act in the company's interest;
• other data expressly transferred by the company into Uvio in an agreed scenario where it is clear that Uvio is expected to process that data for the company's purposes.

5.2. The company must follow the data-minimization principle and must not transfer excessive data, special categories of data, biometric data, or children's data to Uvio without a separate lawful basis and prior coordination with Uvio where the nature of the scenario requires it.

6. Company Instructions, Purposes, and Permitted Processing Actions

6.1. The company instructs Uvio to process personal data only through documented instructions expressed in the company dashboard settings, integration API calls, Uvio documentation, support messages, or another confirmed communication channel between the parties.

6.2. Processing on the company's behalf may serve purposes such as:

• providing the company with team, role, and access-management functions;
• addressed delivery of notifications or other messages to identifiers that the company lawfully provided for that scenario;
• publication and maintenance of the company's events, materials, and other content objects;
• technical execution of campaign settings, offers, and other communication scenarios configured by the company;
• supporting the company in platform use, error correction, incident investigation, and restoration of agreed functions;
• other company purposes that are compatible with Uvio functionality and clearly follow from a confirmed usage scenario.

6.3. Within the scope of the company's instructions, Uvio may collect, record, organize, store, update, retrieve, use, transmit within Uvio infrastructure and to engaged subprocessors, anonymize, block, delete, or destroy personal data where that action is necessary to perform the instruction, maintain service security, or comply with law.

6.4. Uvio does not have to follow an instruction that is manifestly unlawful, infringes data subject rights, falls outside available Uvio functionality, or creates a disproportionate risk for platform security, users, or third parties.

7. Scenarios That Are Not Processing on the Company's Behalf

7.1. The following scenarios are not treated as processing on the company's behalf and instead fall under Uvio's own controller obligations as platform operator:

• company registration, authentication of company representatives, session management, legal-document record-keeping, plans, quotas, and company payment or accounting data;
• action logging, access audit, access-key management, monitoring, infrastructure protection, abuse prevention, and incident investigation;
• processing of Uvio user data within users' own accounts, subscriptions, notification settings, location permissions, consent-management flows, and other relationships between Uvio and the user.

7.2. In Sign In With Uvio scenarios on the company's external site or app, Uvio independently determines the processing needed to send and verify the one-time code, while the company independently determines the later processing of user data on its own side for sign-in, registration, session creation, and its own purposes.

7.3. In subscriber-based mass delivery within Uvio and in geo-based scenarios, Uvio independently processes subscription status, consent settings, location data, and technical geofence-entry events within its own platform. The company independently remains responsible for the legality of the offer, campaign, notification, or other promoted content and for its own legal basis to use that scenario in its business.

8. Company's Obligations as Controller

8.1. Before transferring data to Uvio or issuing an instruction, the company must have an appropriate legal basis for the relevant processing, including data subject consent where law requires it.

8.2. If a particular purpose requires separate consent, the company must obtain that consent separately from general terms, separately from informational messages, and separately from other documents accepted by the relevant individual.

8.3. The company must provide data subjects with the information required by law about the processing on the company's side, including information about purposes, scope, retention, transfer to Uvio, and available rights where that disclosure obligation belongs to the company.

8.4. The company must transfer only accurate and current data to Uvio, keep that data updated where needed, and without unreasonable delay delete or stop using data that is no longer needed for the declared purpose.

8.5. The company must not use Uvio for hidden data collection, circumvention of legal restrictions, unlawful advertising, discriminatory decision-making, unlawful profiling, or other scenarios that create an unacceptable risk for data subjects.

9. Confidentiality, Security, and Localization

9.1. Uvio keeps personal data processed on the company's behalf confidential and limits access to employees, contractors, and subprocessors who genuinely need that access to perform the relevant processing or secure the service.

9.2. Uvio applies appropriate legal, organizational, and technical measures for the security of the personal data it processes, taking into account the nature of the data and the risks to data subject rights. These measures may include access controls, action logging, secure communication channels, backup measures, incident monitoring, and other reasonably necessary safeguards.

9.3. The company remains responsible for security of its own credentials, integration keys, devices, internal processes, and users with access, because compromise of those elements may lead to unauthorized processing outside Uvio's control.

9.4. If a processing scenario is subject to localization requirements or specific transfer restrictions, the parties must not issue or follow instructions that would knowingly violate those requirements. Uvio applies local-storage or transfer safeguards to the relevant processing operations where law requires them.

10. Subprocessors and Third Parties

10.1. To perform the company's instructions and operate the platform, Uvio may engage subprocessors and other service providers for hosting, data storage, technical-message delivery, backup, information security, monitoring, infrastructure support, and similar supporting functions. Where applicable law requires controller authorization for subprocessors, the company grants Uvio a general authorization for such subprocessors to the extent reasonably necessary for the service model.

10.2. Uvio imposes confidentiality, security, and lawful-processing obligations on such subprocessors that are appropriate to the services they provide and no less protective in substance than the obligations Uvio applies to the relevant instructed processing.

10.3. If a particular scenario requires a more specific subprocessor list, a separate notice or objection mechanism, a special transfer arrangement, or additional contractual safeguards, the parties handle those conditions separately before the scenario is launched.

11. Data Subject Requests, Checks, and Incidents

11.1. If Uvio receives a data subject request that mainly concerns processing carried out by the company as controller, Uvio may forward the request to the company or notify the company of it where that is lawful and appropriate.

11.2. Within reasonable limits, Uvio assists the company with handling data subject requests, checks, confirmation of processing, blocking, correction, deletion, or other lawful responses where those actions concern data processed by Uvio on the company's behalf.

11.3. The company must provide Uvio without unreasonable delay with the information and directions needed to address a lawful request from a data subject or competent authority where that request concerns processing in Uvio infrastructure.

11.4. If either party identifies an incident that caused or may have caused unauthorized or accidental disclosure, access, destruction, alteration, blocking, copying, or another security breach affecting personal data, that party must notify the other without unreasonable delay and provide the information reasonably available for impact assessment and response.

11.5. At the company's request, Uvio may provide general information and documents reasonably demonstrating Uvio's data protection measures where doing so does not disclose trade secrets, other customers' confidential information, or security-sensitive details that would create a material risk.

12. Retention, Return, and Deletion

12.1. Personal data processed by Uvio on the company's behalf is kept no longer than necessary for the instructed purpose, performance of the agreement with the company, compliance with mandatory law, protection of Uvio's rights, or resolution of incidents and disputes.

12.2. If Uvio functionality allows the company to delete data, disable a processing scenario, revoke access, deactivate a team member, or delete a relevant content object by itself, the company must use those mechanisms in a timely way once the purpose of processing no longer exists.

12.3. After termination of the relationship with the company or termination of a specific processing scenario, Uvio deletes, anonymizes, or stops active processing of data covered by the company's instructions within a reasonable technical period, unless longer retention is required by law, security obligations, backup cycles, protection of Uvio's rights, or an active dispute.

12.4. The company understands that some data may remain for a limited additional period in backups, security logs, and other technical layers as needed to complete secure retention and deletion cycles.

13. Liability and Final Provisions

13.1. The company remains responsible for the lawful origin of the data, lawfulness of its instructions, content of the materials it places in Uvio, and lawfulness of its further processing on its own side.

13.2. Uvio remains responsible for fulfilling its obligations as an independent controller for its own purposes and as a processor within the agreed scope of the company's instructions and applicable law.

13.3. If one party's breach directly causes fines, losses, mandatory expenses, or third-party claims for the other party, the party at fault must reimburse those consequences to the extent they were directly caused by that breach, unless mandatory law or a separate written agreement provides otherwise.

13.4. Uvio may update these Terms when required by changes in law, service architecture, business features, categories of processed data, or the model for allocating roles between the parties. The current version is published in Uvio's legal documents section.

13.5. If a provision of these Terms is found invalid or unenforceable, the remaining provisions remain in effect to the extent they do not conflict with applicable law.