This Privacy and Personal Data Processing Policy (the “Policy”) defines the procedures, purposes, and principles governing the processing and protection of information relating to Users of the Daisy service, accessible via the web application (the “Service”). This Policy has been developed in accordance with the requirements of the Law of the Republic of Kazakhstan No. 94-V dated 21 May 2013 “On Personal Data and Their Protection” and applies information security measures based on generally accepted international practices, including certain principles of the ISO/IEC 27001 standard.
Personal data shall be processed in accordance with the applicable personal data protection laws of the relevant jurisdictions to the extent that such laws do not conflict with the legislation of the Republic of Kazakhstan, being the jurisdiction in which the Operator is registered.
1. TERMS AND DEFINITIONS
1.1. Operator (Service Administration, “We”) means Daisy Mental Health LLP, incorporated under the laws of the Republic of Kazakhstan, Business Identification Number (BIN): 250240028245, with its registered address at Kostanay, 6-1-81, whose authorized employees organize and/or carry out the processing of personal data and determine the purposes and scope of such processing.
1.2. User (Data Subject) means an individual who has attained the age of eighteen (18) years and uses the Service through the web application.
1.3. Personal Data means any information relating to an identified or identifiable natural person, whether directly or indirectly.
1.4. Sensitive (Special Category) Personal Data means data revealing the psychological and emotional condition of a data subject, including personal experiences, family circumstances, and interpersonal situations. For the purposes of this Policy, Sensitive Personal Data primarily includes the User’s text messages exchanged with the Service’s AI Assistant.
1.5. Processing of Personal Data means any operation or set of operations performed on Personal Data, including collection, recording, systematization, accumulation, storage, updating, retrieval, use, transfer, depersonalization, blocking, deletion, and destruction.
1.6. Confidentiality of Personal Data means the mandatory requirement to prevent the disclosure or dissemination of Personal Data without the consent of the Data Subject or another lawful basis.
1.7. AI Assistant means a software module of the Service based on a language model and behavioral analysis algorithms that interacts with Users, generates responses, and provides behavioral recommendations.
1.8. De-identification (Anonymization) means actions resulting in the impossibility of determining the association of Personal Data with a specific Data Subject without the use of additional information.
1.9. Information Security Management System (ISMS) means a risk-based management system designed to establish, implement, operate, and continuously improve information security in accordance with ISO/IEC 27001 principles.
1.10. Cookies means a small piece of data sent by a web server and stored on the User’s device, which is transmitted back to the web server each time the User accesses the Service’s web application.
1.11. IP Address means a unique network address assigned to a device within a computer network using the Internet Protocol (IP).
2. IMPORTANT NOTICE REGARDING THE NATURE OF THE SERVICE
2.1. Daisy is a digital wellness service intended to support emotional well-being and self-reflection. The Service is not a medical institution, psychotherapy service, psychiatric service, telemedicine platform, or crisis intervention service.
2.2. The Service’s AI Assistant does not provide medical or psychiatric diagnoses, perform clinical assessments of a User’s condition, or replace consultation with a qualified psychologist, psychotherapist, psychiatrist, or physician.
2.3. The Service is not intended for crisis intervention, suicide prevention, or emergency psychological assistance. In the event of an urgent psychological crisis, the User must immediately contact qualified professionals or emergency services in their country.
2.4. Restrictions on Use During Vulnerable Conditions
The Service is not intended for and is not recommended for individuals experiencing:
- an acute psychological crisis or emotional breakdown;
- suicidal thoughts or intentions;
- severe mental health disorders requiring clinical intervention;
- any other condition where self-guided use without professional supervision may cause harm.
In such circumstances, Users should seek assistance from a qualified psychologist, psychiatrist, physician, or appropriate emergency support service. The Operator shall not be liable for any consequences arising from the use of the Service by individuals experiencing the conditions described above.
2.5. This notice forms an integral part of the terms governing the use of the Service. By continuing to use the Service, the User acknowledges and accepts its non-medical nature and limitations.
3. CONSENT TO THE PROCESSING OF SENSITIVE DATA AND AI ANALYSIS
This Section constitutes informed consent for the processing of Sensitive Personal Data in accordance with Article 8 of the Law of the Republic of Kazakhstan No. 94-V “On Personal Data and Their Protection,” which requires the explicit consent of a data subject for the processing of data relating to their psychological and emotional condition.
3.1. The User acknowledges and confirms that, when using the Service, they voluntarily provide information relating to their emotional, psychological, and personal condition, which constitutes Sensitive Personal Data under the laws of the Republic of Kazakhstan.
3.2. By registering for the Service and accepting this Policy, the User provides separate and informed consent to:
- the automated processing and analysis of text messages by artificial intelligence algorithms;
- the identification and storage of emotional and behavioral patterns;
- the retention of conversation history for the purpose of generating personalized recommendations;
- the cross-border transfer and processing of data within the infrastructure of cloud service providers, including in countries that do not provide a level of data protection equivalent to that of the User’s country of residence.
3.3. The User understands that the functionality of the Service cannot technically be provided without the processing of the above-mentioned data.
3.4. Consent provided upon registration may be withdrawn at any time by submitting a request to hello@talktodaisy.com. Withdrawal of consent shall result in termination of access to the Service, as the processing of such data constitutes a condition for the provision of the Service.
4. GENERAL PROVISIONS. PROCESSING PRINCIPLES
4.1. Use of the Service by the User constitutes acceptance of this Policy. Consent to the processing of Sensitive Personal Data shall be obtained separately in accordance with Section 3 of this Policy.
4.2. If the User does not agree with the terms of this Policy, the User must immediately discontinue use of the Service.
4.3. Personal Data shall be processed by the Operator in accordance with the following principles:
- lawfulness, fairness, and transparency;
- limitation of processing to predetermined and legitimate purposes;
- data minimization — collection only of data necessary to achieve the stated purposes;
- accuracy and currency of data;
- storage limitation — Personal Data in a form permitting identification of a Data Subject shall not be retained longer than necessary for the purposes of processing;
- maintenance of an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
4.4. This Policy applies in full to the Daisy Service. The Operator does not control and shall not be responsible for third-party websites or services that may be accessed through links available within the Service.
4.5. The User is responsible for the accuracy of the information provided. The Operator is not obligated to verify the accuracy of information supplied by the User except where such verification is required by applicable law or necessary to ensure the security of the Service.
4.6. Data used to improve algorithms shall be subject to prior de-identification/anonymization and shall not contain direct identifiers. 4.6. Such data may be retained for longer periods, including indefinitely, because they do not permit identification of the User.
5. SUBJECT MATTER OF THE POLICY. CATEGORIES OF DATA
5.1. This Policy establishes the Operator’s obligations regarding the non-disclosure, protection, and confidentiality of Personal Data provided by the User while using the Service.
5.2. Data Provided Directly by the User:
- email address;
- name or pseudonym (if provided);
- authentication data obtained through third-party login providers (e.g., Google), if the User utilizes such login method;
- interface language;
- country of residence (if provided).
5.2.1. When authentication is performed through third-party identity providers (e.g., Google), the Operator may receive the minimum amount of information necessary to create and maintain a user account, including the User’s name, email address, and unique account identifier.
5.3. Sensitive Data — Conversation Content
The primary category of data processed by the Service consists of the User’s text messages exchanged with the AI Assistant. Such messages may contain descriptions of emotional states, personal experiences, family and interpersonal circumstances, anxious thoughts, and psychological or emotional conditions.
The Operator treats the content of such communications as Sensitive Personal Data and ensures an enhanced level of protection in accordance with Article 8 of the Law of the Republic of Kazakhstan No. 94-V.
5.4. Behavioral and Analytical Data
The Service analyzes emotional trends, recurring themes, and behavioral patterns solely for the purpose of personalizing conversations and improving the quality of support. Such analysis is auxiliary and non-medical in nature and does not constitute a clinical assessment.
5.5. Technical Data
The Operator may automatically collect technical information, including:
- IP address;
- device type;
- browser type;
- operating system;
- information regarding User activity within the Service;
- error logs;
- cookies and similar technologies.
Such data is used exclusively to ensure the security, operation, diagnostics, and improvement of the Service.
6. PURPOSES OF PERSONAL DATA PROCESSING
The Operator processes the User’s Personal Data for the following purposes:
6.1. Identifying the User and providing access to the functionality of the Service.
6.2. Enabling interaction with the AI Assistant, personalizing responses, and generating behavioral recommendations.
6.3. Retaining conversation history to provide context for future interactions and monitor the User’s progress.
6.4. Improving the quality of the Service, personalization algorithms, and AI functionalities using anonymized and/or aggregated data, subject to separate User consent where such consent is required under applicable law.
6.5. Establishing communication with the User and processing requests and inquiries.
6.6. Providing effective customer and technical support.
6.7. Informing the User, subject to their consent, about Service updates and new features.
6.8. Processing subscription payments for the Service.
6.9. Ensuring the security of the Service and preventing fraud.
6.10. Complying with applicable legal requirements.
The Operator does not use User data for third-party advertising targeting purposes and does not sell Personal Data to third parties.
7. HOW THE AI ASSISTANT WORKS: DATA PROCESSING AND TECHNOLOGY LIMITATIONS
7.1. The User’s text messages are processed by the Service’s AI Assistant for the purpose of generating responses and recommendations based on self-reflection techniques, emotional regulation methods, cognitive reframing approaches, and other non-medical methods of supporting emotional well-being.
7.2. Conversation history is retained to preserve context and enable personalization. The Service utilizes selective contextual retrieval rather than a complete linear analysis of the entire conversation history.
7.3. The AI Assistant does not make legally significant decisions, medical decisions, or any automated decisions affecting the User’s rights.
7.4. Limitations of Artificial Intelligence Technology
The AI Assistant is based on a probabilistic language model. Responses are generated automatically using statistical algorithms and may be:
- incomplete and fail to address all aspects of the User’s situation;
- inaccurate or erroneous, including factually incorrect information (commonly referred to as AI “hallucinations”);
- unsuitable for the User’s specific life circumstances.
The Service does not guarantee the psychological, emotional, or practical suitability of any recommendations generated by the AI Assistant. The User accepts and relies upon such recommendations at their own discretion and risk.
7.5. The Operator shall not be liable for the accuracy, suitability, or consequences of AI-generated recommendations in the User’s particular circumstances.
7.6. The User acknowledges and agrees that responses generated by the AI Assistant are produced automatically without human involvement and may not reflect the views or position of the Operator.
8. LEGAL BASIS AND RETENTION PERIODS FOR PROCESSING
8.1. Personal Data shall be processed on the basis of:
- the User’s consent provided in accordance with Section 3 of this Policy;
- the necessity to enter into and perform a service agreement to which the User is a party;
- the Operator’s legitimate interests in ensuring the security and improvement of the Service, to the extent that such interests do not override the User’s rights and freedoms.
8.2. Retention Periods for Personal Data
| Data Category | Retention Period |
|---|---|
| Account Data | For the duration of the account’s existence plus thirty (30) calendar days following deletion |
| Conversation History | For the duration of the account’s existence plus thirty (30) calendar days following deletion |
| Technical Logs | Up to twelve (12) months unless a longer retention period is required for the investigation of a security incident |
| Payment Information | In accordance with the requirements of the payment provider and applicable law |
| Anonymized AI Training Data | Indefinitely |
8.3. Upon expiration of the applicable retention period, Personal Data shall be destroyed or anonymized in accordance with the Operator’s internal procedures and the requirements of ISO/IEC 27001 and the legislation of the Republic of Kazakhstan.
8.4. Following account deletion, certain data may be retained for longer periods where required by law, for dispute resolution purposes, for the performance of contractual obligations, or to comply with requests of governmental authorities.
9. TRANSFER OF PERSONAL DATA
9.1. The Operator may transfer Personal Data to third parties in the following circumstances:
- where the User has expressly consented to such transfer;
- where such transfer is necessary for the operation of the Service, including transfers to:
- cloud infrastructure providers;
- AI technology and computing service providers;
- data storage service providers;
- analytics service providers;
- user authentication service providers;
- payment service providers;
- governmental authorities where required by law.
9.2. All third parties processing Personal Data on behalf of the Operator are bound by contractual obligations relating to confidentiality and data protection.
9.3. The Operator does not transfer Personal Data to third parties for advertising targeting purposes and does not sell Personal Data in any form.
9.4. The current list of principal categories of service providers may be updated periodically as the Service evolves.
9.5. Cross-Border Data Transfers
Due to the use of cloud infrastructure, the User’s Personal Data may be transferred to and processed on servers located outside the Republic of Kazakhstan and outside the User’s country of residence, including jurisdictions that may not provide a level of personal data protection equivalent to that of the User’s country of residence.
By accepting this Policy and providing consent in accordance with Section 3, the User expressly consents to such cross-border transfer of Personal Data.
The Operator implements appropriate contractual and organizational safeguards to ensure that transferred data is protected in accordance with the requirements of the legislation of the Republic of Kazakhstan.
For the purpose of operating the AI Assistant, the Operator may transfer certain User data to artificial intelligence technology providers acting as data processors on behalf of the Operator.
9.6. Data Localization and Restrictions
Where the laws of the User’s country of residence impose localization requirements or other conditions relating to the processing of Personal Data, the Operator shall take reasonable measures to comply with such requirements.
If compliance is not technically or legally feasible, the Operator reserves the right to restrict the availability of certain Service functionalities within the relevant territory.
10. USE OF DATA FOR AI TRAINING
10.1. Anonymized conversation data may be used to improve the quality of the Service, personalization algorithms, and AI functionalities only if all of the following conditions are met:
- the data has been stripped of direct and indirect personal identifiers;
- the User has not exercised the opt-out right provided for in Clause 10.2 of this Policy;
- such use does not result in the disclosure or identification of the User.
10.2. The User may prohibit the use of their conversations for algorithm training purposes at any time, either before commencing use of the Service or during its use, by:
- modifying the relevant setting within the Service interface (where such functionality is available); or
- submitting a request to: hello@talktodaisy.com.
Such opt-out shall take effect upon receipt by the Operator and shall not affect the availability of the Service functionality.
10.3. Anonymized data shall not be transferred or sold to third parties.
11. SECURITY MEASURES. ISO/IEC 27001 COMPLIANCE
11.1. The Operator shall implement necessary and sufficient organizational and technical measures to protect the User’s Personal Data against unauthorized or accidental access, destruction, alteration, blocking, copying, dissemination, or other unlawful actions.
11.2. Such security measures include, without limitation:
- Access Control — implementation of access rights management policies governing access to Personal Data;
- Encryption — use of cryptographic protection mechanisms (TLS/SSL) during data transmission and encryption of data at rest;
- Risk Management — regular monitoring and assessment of risks within the framework of the Information Security Management System (ISMS);
- Incident Management — maintenance of procedures for responding to security incidents involving Personal Data;
- Training and Awareness — training and instruction of employees who have access to Personal Data;
- Internal Audits — periodic internal audits and reviews of security measures.
11.3. In the event of a security incident, the Operator shall act in accordance with applicable law and, where required, notify affected Users within a reasonable period of time.
12. RIGHTS OF THE DATA SUBJECT
In accordance with the legislation of the Republic of Kazakhstan, the User has the right:
12.1. To receive information regarding the purposes, methods, and scope of processing of their Personal Data.
12.2. To access, correct, and update their Personal Data.
12.3. To withdraw consent to the processing of Personal Data. Withdrawal of consent for the processing of Sensitive Personal Data shall result in termination of access to the Service in accordance with Clause 3.4 of this Policy.
12.4. To request the deletion of Personal Data and/or cessation of processing where such data is incomplete, outdated, inaccurate, or no longer necessary for the stated purposes.
12.5. To opt out of the use of conversations for AI algorithm training purposes in accordance with Section 10 of this Policy.
To exercise these rights, the User may submit a request by email to hello@talktodaisy.com.
The Operator shall review such requests within the timeframes established by applicable law and shall endeavor to provide a response within no more than thirty (30) calendar days.
13. AGE RESTRICTIONS
13.1. The Service is intended solely for individuals who have attained the age of eighteen (18) years. The Operator does not knowingly collect Personal Data from minors.
13.2. If a User becomes aware that a minor is using the Service, they must immediately notify the Operator at: hello@talktodaisy.com.
14. OBLIGATIONS OF THE PARTIES
14.1. The User shall:
- provide accurate Personal Data and keep such data up to date;
- refrain from using the Service for purposes contrary to its intended use or applicable law;
- seek professional assistance in the event of a psychological crisis and not rely exclusively on the Service.
14.2. The Operator shall:
- use Personal Data solely for the purposes specified in Section 6 of this Policy;
- maintain the confidentiality of Personal Data and not disclose such data to third parties without the User’s consent, except where required by law;
- refrain from selling, exchanging, publishing, or otherwise disclosing the User’s Personal Data for any unauthorized purpose;
- implement all measures required by this Policy and applicable law to protect Personal Data;
- promptly notify the User if a security incident involving the User’s Personal Data is identified;
- block Personal Data upon receipt of a corresponding request from the User during the period required to verify allegedly inaccurate data or unlawful processing activities.
15. LIABILITY OF THE PARTIES
15.1. The Operator shall be liable, in accordance with the legislation of the Republic of Kazakhstan, for damages incurred by the User as a result of unlawful processing or misuse of the User’s Personal Data.
15.2. The Operator shall not be liable where Personal Data:
- became publicly available prior to its loss or disclosure through the fault of the Operator;
- was obtained from a third party before being received by the Operator;
- was disclosed with the User’s consent.
15.3. The Operator shall not be liable for any direct or indirect loss, damage, or adverse consequences arising from the User’s reliance on recommendations provided by the AI Assistant instead of obtaining professional psychological, psychiatric, or medical assistance.
The User acknowledges and accepts that the Service is a self-help and emotional support tool and does not constitute professional treatment or healthcare services.
15.4. The Operator shall not be liable for consequences arising from the use of the Service by individuals experiencing the conditions described in Clause 2.4 of this Policy.
15.5. The User acknowledges and agrees that no information security measures can provide absolute protection of data, and the Operator does not guarantee the complete absence of risks associated with the use of the Internet and information technologies.
16. DISPUTE RESOLUTION
16.1. Prior to commencing court proceedings, the parties shall comply with a mandatory pre-trial dispute resolution procedure.
16.2. The recipient of a claim shall provide the claimant with a written response regarding the results of the review within thirty (30) calendar days of receipt of such claim.
16.3. If the parties fail to reach an agreement, the dispute shall be resolved through judicial proceedings in accordance with the legislation of the Republic of Kazakhstan.
16.4. This Policy and all relations arising between the User and the Operator shall be governed by and construed in accordance with the laws of the Republic of Kazakhstan.
17. FINAL PROVISIONS
17.1. The Operator reserves the right to amend this Policy at any time.
In the event of material changes, the Operator may notify Users through the Service interface, by email, or by any other reasonable means. Unless otherwise specified in such notice, the amended version shall become effective upon publication.
17.2. Any new version of this Policy shall become effective upon its publication on the Service website unless otherwise provided therein.
17.3. Continued use of the Service after the effective date of any amendments shall constitute the User’s acceptance of the revised Policy.
17.4. This Policy has been drafted in the Russian language. In the event of any discrepancy between language versions, the Russian-language version shall prevail.
17.5. Any suggestions, requests, or questions relating to this Policy should be directed to:
hello@talktodaisy.com