Uvio Consumer Privacy Policy

1. General Provisions

1.1. This Uvio Consumer Privacy Policy sets out how Uvio processes personal data of individuals who use the Uvio app, website, and other user-facing interfaces of the service.

1.2. This Policy applies to personal data processed when a user registers, signs in, subscribes to companies, uses events and calendar features, receives notifications, views company and event pages, or uses sign-in flows on external company sites or apps through Uvio.

1.3. This Policy is intended to work together with the Uvio Consumer Terms of Service, the cookie notice, the Uvio visitor data policy where applicable, and, where relevant, separate documents on service location use and geo-promotional scenarios.

2. Controller Information and Contacts

The personal data controller and the person providing services under the name "Uvio" is an individual entrepreneur Sultanbekov Artur Timerhanovich.

INN (Tax ID): 021101196690.

OGRNIP (Registration No.): 318028000111955.

Privacy inquiries: privacy@uvio.chat.

Legal inquiries: legal@uvio.chat.

3. Categories of Data We May Process

3.1. Depending on the scenario, Uvio may process the following categories of personal data:

• account data: email address, first name, last name, system-generated or otherwise assigned user name, account status, and email verification status;
• authentication and session data: one-time codes, sign-in and sign-out information, refresh and access sessions, device and web session data, saved-device information, and security logs;
• profile data: avatar, profile image history, language settings, and other user preferences;
• device and usage data: device identifiers, push tokens, app version, operating system version, time zone, notification settings, notification restriction settings, background app events, and other technical service-use events;
• subscription and content-interaction data: company subscriptions, subscription status, likes, bookmarks, views, saved events, and other actions within the service;
• calendar and event data: personal events and reminders, saved public events, calendar subscriptions, shared links, and related metadata;
• location data and geofence events, if the user has provided the required separate consent and device permissions;
• web data: IP address, browser information and identifier, cookies, web session data, visits to public company and event pages, calendar file downloads, and links followed to external calendars;
• data transmitted to a company at the user's initiative when the user uses a sign-in or registration flow on an external company site or app through Uvio.

3.2. Uvio does not request special categories of personal data unless this is required by law or by a separate specialized scenario.

3.3. Uvio is intended for users who are at least 16 years old, unless a different age threshold applies under mandatory law in the relevant jurisdiction. If Uvio becomes aware that data is being processed in connection with an account of a person below the applicable age threshold without the required guardian consent, Uvio may restrict processing, suspend the account, or delete the account as permitted by applicable law.

4. Sources of Data

4.1. Uvio receives data directly from the user when the user registers, signs in, edits the profile, manages subscriptions, uses events and calendar features, enables location functionality, or uses other service features.

4.2. Some data is generated automatically when the user uses the app, website, or other Uvio interfaces, including device data, technical events, background app events, session data, push tokens, and notification delivery information.

4.3. When the user uses a sign-in or registration flow on an external company site or app through Uvio, some data is generated as a result of the user's one-time code verification and the subsequent data exchange between Uvio and the relevant company.

5. Purposes and Legal Bases

5.1. Uvio processes personal data for the following purposes:

• creating, maintaining, and protecting the user's account;
• authenticating the user with a one-time code and maintaining user sessions;
• providing subscriptions, notifications, feed content, events, calendar features, and public company and event pages;
• displaying, selecting, ranking, and limiting the frequency of sponsored, promoted, or advertising materials inside Uvio, where such materials are used in the service;
• using location data to display, select, rank, and limit the frequency of geo-based promotional or advertising materials inside Uvio, where the user has provided the required separate consents and device permissions remain active;
• delivering service messages, security notices, and other messages that are necessary for the operation of the service;
• using additional features, including location-based scenarios, where the user has provided the required separate consent and device permissions;
• running sign-in or registration flows on external company sites or apps through Uvio at the user's request;
• ensuring information security, preventing abuse, and protecting Uvio, users, and third parties;
• complying with legal obligations.

5.2. Depending on the purpose, Uvio relies on one or more of the following legal bases: the user's consent where required, performance of a contract or steps at the user's request before entering into a contract, compliance with a legal obligation, and Uvio's or a third party's legitimate interests where those interests are not overridden by the user's rights and freedoms.

5.3. For service location scenarios and geo-promotional scenarios where a separate consent is required by law or by the product model, Uvio uses separate consent flows and separate documents.

5.4. Where Uvio uses sponsored or advertising materials inside the service, the selection and display of those materials may take into account subscription data, interaction data, device technical data, and interface settings.

5.5. Geo data used for geo-promotional or geo-advertising scenarios is processed only if the user has provided both the separate service-location consent and the separate geo-promo consent, and only where the relevant device permissions remain active.

5.6. For technical support of geo-based scenarios, Uvio may also use push tokens, notification delivery infrastructure, and background app events where those mechanisms are necessary to update app state, check geo-based conditions, or display materials correctly inside the service. The use of such technical mechanisms by itself does not mean that a direct advertising message is shown to the user on the device.

6. Sign-In and Registration on External Company Sites and Apps Through Uvio

6.1. The user may choose to use Uvio to confirm sign-in or registration on an external company site or app through a one-time code flow.

6.2. In that scenario, after successful verification of the one-time code, Uvio may transmit to the relevant company a limited set of user data needed to create, link, or confirm the user's account on the company's side. The current scope of that data is disclosed in the relevant privacy documents and in the company interface before the code is entered.

6.3. The user understands that after the flow is completed, the company acts as an independent controller processing data on its own side under its own documents and legal model.

6.4. If the user does not agree with the data transfer to the relevant company or with the company's terms, the user should not complete that sign-in or registration flow.

7. Automatic Subscription After Company Sign-In

7.1. If a particular Uvio sign-in flow includes automatic creation or reactivation of a user's subscription to the relevant company after successful one-time code verification, that result must be disclosed clearly in the company interface before the code is entered.

7.2. After the subscription is created or reactivated, the user may manage it through Uvio, including unsubscribing or changing related settings where those functions are available.

7.3. If the user does not want such a subscription to be created or reactivated, the user should not complete the one-time code flow without first reviewing the company's disclosures.

8. Recipients and Transfers

8.1. Uvio does not sell personal data.

8.2. User data may be shared with:

• companies the user subscribes to or companies with which the user initiates a separate interaction flow through Uvio, including sign-in through Uvio on the company side, to the extent needed for that purpose;
• service providers acting on Uvio's behalf and supporting hosting, security, infrastructure, and notification delivery, where such sharing is necessary for the service;
• public authorities, courts, and other authorized parties where and to the extent required by applicable law.

8.3. If the user independently opens a third-party service, for example an external calendar or a company website, that service processes data under its own rules.

8.4. Cross-border transfers are made only where allowed by applicable law and where the required safeguards and procedures are in place.

9. Security

9.1. Uvio applies appropriate legal, organizational, and technical measures to protect personal data against unauthorized or accidental access, destruction, alteration, blocking, copying, disclosure, distribution, or other unlawful acts.

9.2. Such measures may include access controls, session controls, secure communication channels, logging, and incident monitoring.

9.3. Even with such measures, internet transmission and information-system storage cannot be considered absolutely secure, so Uvio cannot guarantee that all risks outside its reasonable control will be eliminated.

10. Retention and Localization

10.1. Personal data is retained no longer than necessary for the purposes of processing, unless a longer retention period is required by applicable law, the protection of Uvio's rights, or lawful procedures.

10.2. Account data is retained for as long as the account exists and, after deletion or termination of use, for the period needed to complete lawful deletion, archiving, or anonymization procedures.

10.3. Session data, web sign-in data, device data, notification delivery data, and security data are retained for as long as needed to keep the service running, protect the user's account, and investigate incidents.

10.4. Uvio does not promise storage in any particular country or region unless that is stated separately or required by applicable law.

10.5. Where applicable law requires local storage or other data localization measures, Uvio applies those requirements to the relevant data and processing operations.

11. User Rights

11.1. The user may request information about the processing of personal data, request correction of inaccurate data, request deletion of data that is no longer needed or was processed unlawfully, and exercise other rights granted by applicable law.

11.2. Where the GDPR applies, the user may also have the right to access personal data, rectification, erasure, restriction of processing, data portability, and objection, including an objection to direct marketing and related profiling where applicable.

11.3. The user may withdraw consent where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

11.4. To exercise rights, the user may send a request to privacy@uvio.chat. Uvio may request information needed to verify the requester's identity and authority.

11.5. Where the GDPR applies, the user may also lodge a complaint with a supervisory authority and may have other remedies under applicable law.

12. Changes to This Policy

12.1. Uvio may update this Policy when required by changes in law, the service model, the way data is processed, the consent model, or the available product scenarios.

12.2. The current version of this Policy is published in Uvio's legal documents section together with its version date. Where appropriate, users may also be informed through the app, website, or another Uvio interface.