Privacy and Personal Data Processing Policy

This Privacy and Personal Data Processing Policy (the “Policy”) sets out how information about users of the Daisy service, available through the web application (the “Service”), is processed and protected. It has been prepared in accordance with the Law of the Republic of Kazakhstan “On Personal Data and Their Protection” No. 94-V of 21 May 2013 and follows the principles of the international standard ISO/IEC 27001.

Personal data are processed in accordance with applicable personal data law in the relevant jurisdictions, to the extent that it does not conflict with the law of the Republic of Kazakhstan as the jurisdiction where the Operator is registered.

1. TERMS AND DEFINITIONS

1.1. Operator (Service administration, “we”) — LLP “Daisy Mental Health”, registered under the laws of the Republic of Kazakhstan, BIN: 250240028245, registered address: Kostanay, 6-1-81, whose authorized employees organize and/or carry out processing of personal data and determine the purposes and content of such processing.

1.2. User (data subject) — a natural person aged 18 (eighteen) or older who uses the Service through the web application.

1.3. Personal data — any information relating to an identified or identifiable natural person, directly or indirectly.

1.4. Sensitive (special) personal data — data revealing a person’s psychological and emotional state, personal experiences, family and interpersonal situations. For the purposes of this Policy, sensitive data includes, in particular, text messages the User sends in dialogue with the Service’s AI assistant.

1.5. Processing of personal data — any operation or set of operations performed on personal data, including collection, recording, organization, accumulation, storage, updating, retrieval, use, transfer, anonymization, blocking, erasure, and destruction.

1.6. Confidentiality of personal data — the requirement not to disclose personal data without the data subject’s consent or another lawful basis.

1.7. AI assistant — a software module of the Service based on a language model and behavioral analysis algorithms that converses with the User, generates responses, and provides behavioral recommendations.

1.8. Anonymization — actions after which personal data can no longer be attributed to a specific data subject without additional information.

1.9. Information security management system (ISMS) — a risk-based management system for establishing, implementing, operating, and improving information security in line with ISO/IEC 27001.

1.10. Cookies — a small piece of data sent by the web server and stored on the User’s device, which is sent back to the server on each request to the Service’s web application.

1.11. IP address — a unique network address of a node in a computer network using the IP protocol.

2. IMPORTANT NOTICE ON THE NATURE OF THE SERVICE

2.1. Daisy is a digital wellness service and a tool for emotional support and self-reflection. It is not a medical organization, psychotherapy or psychiatry service, telemedicine service, or crisis mental health service.

2.2. The Service’s AI assistant does not make medical or psychiatric diagnoses, does not perform clinical assessment of the User’s condition, and does not replace consultation with a qualified professional such as a psychologist, psychotherapist, or physician.

2.3. The Service is not intended for crisis intervention, suicide prevention, or emergency psychological care. If you are in an urgent psychological crisis, you must immediately contact qualified professionals or emergency services in your country.

2.4. Limitations in vulnerable states. The Service is not intended for, and is not recommended for, people who are in: an acute psychological crisis or emotional breakdown; suicidal thoughts or intent; severe mental health conditions requiring clinical care; or other states in which self-guided work without professional support could cause harm. In such cases you should contact a qualified specialist — a psychologist, psychiatrist, or the appropriate emergency service. The Operator is not liable for consequences of using the Service while in such states.

2.5. This notice is an integral part of the terms of use. By continuing to use the Service, the User confirms understanding and acceptance of its non-medical nature and limitations.

3. CONSENT TO SENSITIVE DATA PROCESSING AND AI ANALYSIS

This section constitutes informed consent to processing of sensitive personal data under Article 8 of the Law of the Republic of Kazakhstan “On Personal Data and Their Protection” No. 94-V, which requires explicit consent for processing data concerning psychological and emotional state.

3.1. The User acknowledges that by using the Service they voluntarily provide information relating to their emotional, psychological, and personal state, which constitutes sensitive personal data under the law of the Republic of Kazakhstan.

3.2. By registering and accepting this Policy, the User gives separate informed consent to: automated processing and analysis of text messages by artificial intelligence algorithms; detection and storage of emotional and behavioral patterns; storage of chat history to provide personalized recommendations; cross-border transfer and processing of data in cloud infrastructure, including in countries that may not provide a level of data protection equivalent to the law of the User’s country of residence.

3.3. The User understands that the Service cannot function without processing such data.

3.4. Consent given at registration may be withdrawn at any time by sending a request to hello@talktodaisy.com. Withdrawal of consent will result in loss of access to the Service, because processing of such data is a condition of providing it.

4. GENERAL PROVISIONS AND PROCESSING PRINCIPLES

4.1. Use of the Service by the User constitutes acceptance of this Policy. Consent to processing sensitive personal data is given separately as described in Section 3.

4.2. If you do not agree with this Policy, you must stop using the Service immediately.

4.3. The Operator processes personal data on the principles of: lawfulness, fairness, and transparency; purpose limitation — processing only for predefined lawful purposes; data minimization — collecting only what is necessary for those purposes; accuracy and currency; storage limitation — personal data identifying the subject are not kept longer than required for the purposes; and appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

4.4. This Policy applies to the Daisy Service in full. The Operator does not control and is not responsible for third-party websites or services that the User may access via links in the Service.

4.5. The Service administration does not verify the accuracy of personal data provided by the User and assumes that the User provides accurate information.

4.6. Data used to improve algorithms are anonymized and do not contain direct identifiers. Such data may be retained longer, including indefinitely, because they do not identify the User.

5. SCOPE OF THE POLICY AND CATEGORIES OF DATA

5.1. This Policy sets out the Operator’s obligations of non-disclosure and of maintaining protection and confidentiality of personal data that the User provides when using the Service.

5.2. Data provided directly by the User include: name or nickname; email address; interface language; country of residence (optional).

5.3. Sensitive data — chat content: the main type of data processed consists of text messages in dialogue with the AI assistant. Messages may describe emotional states, personal experiences, family and interpersonal situations, anxious thoughts, and psycho-emotional condition. The Operator treats chat content as sensitive personal data and applies heightened protection in accordance with Article 8 of Law No. 94-V of the Republic of Kazakhstan.

5.4. Behavioral and analytics data: the Service analyzes dynamics of emotional state, recurring themes, and reaction patterns solely to personalize dialogue and improve support quality. This analysis is auxiliary and non-medical and is not a clinical assessment.

5.5. Technical data: technical information — IP address, device and browser type, cookies, session data, and error logs — is collected and processed in a pseudonymized or aggregated form to ensure operation and security of the Service and to prevent unauthorized access.

6. PURPOSES OF PROCESSING PERSONAL DATA

The Operator processes the User’s personal data for the following purposes:

• 6.1. Identifying the User and providing access to Service functionality.
• 6.2. Enabling dialogue with the AI assistant, personalizing responses, and generating behavioral recommendations.
• 6.3. Storing chat history to maintain context for future conversations and track the User’s progress.
• 6.4. Improving AI assistant algorithms using only anonymized data — where the User has consented in accordance with Section 10 of this Policy.
• 6.5. Communicating with the User and handling requests and applications.
• 6.6. Providing effective customer and technical support.
• 6.7. Informing the User, with consent, about Service updates and new features.
• 6.8. Processing payments for subscriptions to the Service.
• 6.9. Ensuring security of the Service and preventing fraud.
• 6.10. Complying with applicable law.

The Operator does not use the User’s data for third-party advertising targeting and does not sell personal data to third parties.

7. HOW THE AI ASSISTANT WORKS: DATA PROCESSING AND TECHNOLOGY LIMITATIONS

7.1. Text messages are processed by the Service’s AI assistant to generate responses and recommendations based on cognitive behavioral therapy (CBT), dialectical behavior therapy (DBT), and self-reflection techniques.

7.2. Chat history is stored to maintain dialogue context and personalization. The Service uses selective contextual retrieval rather than full linear analysis of the entire history.

7.3. The AI assistant does not make legally significant decisions, medical decisions, or automated decisions affecting the User’s rights.

7.4. Limitations of AI technology. The AI assistant uses a probabilistic language model. Responses are generated automatically from statistical algorithms and may be: incomplete — not covering all aspects of the User’s situation; inaccurate or wrong — including factually incorrect information (“hallucinations”); or unsuitable for the User’s specific life context. The Service does not guarantee psychological, emotional, or practical applicability of the AI assistant’s recommendations. The User accepts and uses recommendations at their own discretion and risk.

7.5. The Operator is not liable for the accuracy, applicability, or consequences of AI recommendations in specific life situations.

8. LEGAL BASES AND RETENTION PERIODS

8.1. Processing is based on: the User’s consent as described in Section 3; performance of the contract for Service provision to which the User is a party; and the Operator’s legitimate interests in security and improvement of the Service — to the extent they do not override the User’s rights and freedoms.

8.2. Retention periods:

• Account data: For the life of the account plus 30 calendar days after deletion.
• Chat history: For the life of the account plus 30 calendar days after deletion.
• Technical logs: Up to 6 months, unless longer retention is needed to investigate a security incident.
• Anonymized data for AI training: Indefinitely.

8.3. After the retention period, personal data are destroyed or anonymized in accordance with internal procedures of the Operator that meet ISO/IEC 27001 and the law of the Republic of Kazakhstan.

9. SHARING OF PERSONAL DATA

9.1. The Operator may share personal data with third parties where: the User has consented; sharing is necessary to operate the Service (cloud providers, AI processing providers, payment systems); or sharing is required by law of the Republic of Kazakhstan to authorized public bodies.

9.2. All processors acting on behalf of the Operator are bound by confidentiality and data protection obligations under appropriate agreements.

9.3. The Operator does not share personal data with third parties for advertising targeting and does not sell it in any form.

9.4. Cross-border transfers. Because cloud infrastructure is used, personal data may be processed on servers located outside the Republic of Kazakhstan and outside the User’s country of residence, including in states that may not ensure a level of protection equivalent to the User’s local law. By accepting this Policy and consenting under Section 3, the User expressly agrees to such transfers. The Operator applies appropriate contractual and organizational measures to protect transferred data in line with the law of the Republic of Kazakhstan.

9.5. Localization and restrictions. If the law of the User’s country of residence imposes localization or other processing requirements, the Operator takes reasonable steps to comply. If compliance is impossible for technical or legal reasons, the Operator may restrict certain Service features in the relevant territory.

10. USE OF DATA FOR AI TRAINING

10.1. Anonymized dialogue data may be used to improve AI assistant algorithms only if all of the following hold: data have been fully anonymized and stripped of direct and indirect identifiers; the User has not exercised the opt-out in Section 10.2; and use does not reveal the User’s identity.

10.2. The User may at any time prohibit use of their dialogues for training algorithms before or during use of the Service by: changing the relevant setting in the Service interface (if available); or emailing hello@talktodaisy.com. The opt-out takes effect when received by the Operator and does not affect availability of Service functionality.

10.3. Anonymized data are not sold or transferred to third parties for their independent use as a sale.

11. SECURITY MEASURES AND ISO/IEC 27001

11.1. The Operator implements appropriate organizational and technical measures to protect personal data against unlawful or accidental access, destruction, alteration, blocking, copying, distribution, and other unlawful acts.

11.2. Measures include, without limitation: access control and least-privilege policies; encryption — TLS/SSL in transit and encryption at rest where appropriate; regular risk monitoring under the ISMS; incident management procedures for security incidents involving personal data; staff training for those with access to personal data; periodic internal audits and review of safeguards.

11.3. If a security incident poses a risk of unauthorized access to personal data, the Operator notifies the User within a reasonable time after discovery and initial assessment.

12. DATA SUBJECT RIGHTS

Under the law of the Republic of Kazakhstan, the User has the right to:

• 12.1. Obtain information about the purposes, means, and content of processing of their personal data.
• 12.2. Access their personal data and request correction or updating.
• 12.3. Withdraw consent to processing. Withdrawal of consent to processing sensitive data will end access to the Service as described in Section 3.4.
• 12.4. Request erasure of their personal data and/or cessation of processing where data are incomplete, outdated, inaccurate, or no longer necessary for the stated purposes.
• 12.5. Opt out of use of dialogues for AI training as described in Section 10.

To exercise these rights, the User may email hello@talktodaisy.com. The Operator responds within 30 calendar days of receipt.

13. AGE RESTRICTIONS

13.1. The Service is intended only for persons aged 18 (eighteen) or older. The Operator does not knowingly collect data from minors.

13.2. If you become aware that a minor is using the Service, notify us immediately at hello@talktodaisy.com.

14. OBLIGATIONS OF THE PARTIES

14.1. The User shall: provide accurate personal data and update them as needed; not use the Service for purposes contrary to its purpose or applicable law; and seek professional help in a mental health crisis rather than relying on the Service alone.

14.2. The Operator shall: use data only for the purposes in Section 6; maintain confidentiality and not disclose data to third parties without consent except as required by law; not sell, exchange, publish, or disclose personal data for other purposes; take all measures required by this Policy and law to protect data; notify the User promptly of security incidents affecting their personal data; and block processing upon a substantiated request pending review where data are inaccurate or processing is unlawful.

15. LIABILITY

15.1. The Operator is liable for damages suffered by the User due to unlawful processing of personal data, to the extent required by the law of the Republic of Kazakhstan, where the Operator has failed to meet its obligations.

15.2. The Operator is not liable if data: became public before loss or disclosure through the Operator’s fault; were obtained from a third party before receipt by the Operator; or were disclosed with the User’s consent.

15.3. The Operator is not liable for harm arising from using AI assistant recommendations instead of professional psychological, psychiatric, or medical care. The User understands that the Service is a self-help and emotional support tool, not professional treatment.

15.4. The Operator is not liable for consequences of use by persons in the states described in Section 2.4.

16. DISPUTE RESOLUTION

16.1. A mandatory pre-action complaint procedure applies before court proceedings.

16.2. The recipient of a complaint responds in writing within 30 calendar days of receipt.

16.3. If no agreement is reached, disputes are resolved in court under the applicable law of the Republic of Kazakhstan.

16.4. This Policy and the relationship between the User and the Operator are governed by the applicable law of the Republic of Kazakhstan.

17. FINAL PROVISIONS

17.1. The Operator may amend this Policy unilaterally. Material changes will be communicated by email (if available) or in the Service interface at least 14 calendar days before they take effect.

17.2. The new version takes effect when published on the Service website unless the new version provides otherwise.

17.3. Continued use after changes take effect constitutes acceptance of the updated Policy.

17.4. This Policy is originally drafted in Russian. If translations are provided, the Russian version prevails in case of discrepancy.

17.5. Questions about this Policy may be sent to hello@talktodaisy.com