Platform Documents

1. Introduction

This Privacy Policy explains how "Smart Point Solutions" LLC ("we", "us", "our") collects, uses, stores, and protects personal data when you use the Smart Point mobile application — "SP PVZ" ("Application"). The Application is available on Google Play and is intended for business users, logistics partners, pickup point operators (PVZ/PUP), and end customers receiving shipments.

By installing or using the Application, you confirm that you have read and agreed to this Privacy Policy. If you do not agree, please uninstall the Application and discontinue its use.

2. Legal Basis for Data Processing

We process personal data on the following legal grounds:

• Performance of a contract — to provide shipment tracking, account management, and logistics services.
• User consent — for optional features and for the chosen OTP delivery channel. Consent may be withdrawn at any time.
• Legal obligation — to comply with financial, tax, and regulatory requirements of the Kyrgyz Republic.
• Legitimate interests — fraud prevention, security monitoring, and service improvement, balanced against user rights.

3. Information We Collect

We apply the principle of data minimization: we collect only data that is strictly necessary for the purposes described below.

3.1 Data Provided Directly by the User

Depending on your role, we may collect:

• Full name
• Phone number
• Email address
• Telegram chat identifier (username / chat ID) — only if the user selects the Telegram bot as their OTP delivery channel in their SP Linker profile
• Pickup point details (address, working hours, capacity)
• Business registration details (for entrepreneurs and legal entities)
• Banking and payment details (for partner settlements)
• Shipment details: tracking number, weight, dimensions, status, declared value, payment amount
• Messages sent to our support channels: external Telegram channel and the support email address listed in this Policy

3.2 Device and Technical Data Collected Automatically

The Application collects the following technical data. Technical data is collected only while the Application is in use and does not include background surveillance.

a) FCM Token (Firebase Cloud Messaging)

A unique token generated by Firebase for a specific device. Used exclusively to deliver push notifications: shipment updates, pickup confirmations, partnership requests, invoice alerts, and authorization codes. Stored on our server linked to the user's account. The FCM token does not allow direct identification of the user without access to our secure server environment. Deactivated upon logout or account deletion.

b) Device Type (device_type)

Platform identifier: android or ios. Used to ensure correct push notification formatting and delivery for each platform.

c) Device Name (device_name) — optional

The model name of the device. Collected optionally. Used to help the user identify their registered devices in account settings.

d) Other Technical Data

• Operating system version
• Application version
• IP address
• Session activity and usage logs
• Crash reports and diagnostic data (Firebase Crashlytics)
• Aggregated, non-advertising usage statistics (Firebase Analytics, configured without advertising identifiers)
• Locally stored session data: authentication session, FCM token, current group selection (kept in private application storage on the device — Android sandbox / iOS app container; not transmitted to third parties beyond what is described in this Policy)
• Text passed to the device's built-in text-to-speech engine when voice readout of notifications is enabled (read aloud locally; the text contains shipment status messages and may be processed by the operating system or device vendor TTS service)

3.3 One-Time Password (OTP) Delivery

Authorization in the Application is performed using a one-time code (OTP), which is also a Simple Electronic Signature within the meaning of the Law of the Kyrgyz Republic "On Electronic Signature".

The user can choose the OTP delivery channel in their SP Linker profile. The currently supported channels are:

• Smart Point Telegram bot — the code is sent via the Telegram Bot API to the user's Telegram account
• Email — the code is sent to the email address registered in the user's profile (if specified)
• Another Smart Point ecosystem application — if the user is currently authenticated in another Smart Point application, the code can be delivered there

Personal data processed for OTP delivery is limited to the identifier required by the chosen channel (Telegram chat ID, email address, or session reference of another SP application).

4. Device Permissions

The Application requests only the following permissions, each used strictly for the stated purpose, in full compliance with Google Play Developer Program Policies and Apple App Store Review Guidelines.

4.1 Camera

Used solely for:

• Scanning QR codes on shipments to identify cargo
• Scanning barcode tracking numbers
• Recording the fact of acceptance / handover of a shipment by scanning the shipment's QR code with the device camera (the scan event is transmitted to our server as an electronic confirmation of transfer)

4.2 Storage

The Application does not access the device file system, gallery, or external storage. It uses only private application storage (Android sandbox / iOS app container) for:

• Storing the authentication session and the FCM token (AsyncStorage)
• Storing user interface preferences (theme, current selected group)
• Internal runtime caching managed by the operating system

4.3 Notifications (POST_NOTIFICATIONS)

Used to display push notifications about shipments, payments, partner requests, and authorization codes. The user may revoke this permission at any time via device Settings → Apps → SP PVZ → Notifications.

5. How We Use Collected Data

We use personal data exclusively for:

• Providing, operating, and maintaining core Application functionality
• Processing, tracking, and confirming shipments
• Delivering push notifications via FCM (shipment status, payments, partner requests, authorization codes)
• Delivering OTP codes via the channel chosen by the user (Telegram bot, email, or another SP ecosystem application)
• Creating and managing user accounts and registered devices
• Calculating and executing financial settlements with partners
• Fraud detection, prevention, and security monitoring
• Responding to user support requests
• Improving Application performance and user experience
• Complying with applicable legal and regulatory obligations

We do not use automated decision-making systems that produce legal or similarly significant effects without human review.

6. Data Sharing and Disclosure

We share personal data only when necessary, and only with:

• Logistics and cargo partners — for shipment processing and delivery coordination
• Pickup point operators (PVZ/PUP) — to facilitate last-mile delivery and customer handoff
• Payment service providers and banks — to process transactions and partner settlements
• Finik (payment service provider) — when the user pays for a shipment via Finik, the Application opens the Finik payment page in an in-app web view. Payment details are processed directly by Finik in accordance with their privacy policy; we receive only the payment status callback
• Telegram (Telegram FZ-LLC) — when the user selects the Telegram bot as the OTP delivery channel, the Telegram Bot API is used to deliver one-time authorization codes
• Email service providers — when the user selects email as the OTP delivery channel, the one-time code is delivered to the user's registered email address via our email infrastructure
• Firebase / Google LLC — to deliver push notifications (FCM), collect crash/diagnostic data (Crashlytics), and aggregated usage statistics (Analytics)
• Cloud infrastructure and hosting providers — for secure server operation and data storage
• Government and regulatory authorities — only when required by applicable law, court order, or official request

All third-party providers are bound by contractual confidentiality and data security obligations. They are permitted to use personal data solely to perform agreed services.

7. Third-Party Services

The Application integrates:

• Google Play Services — app distribution, authentication, integrity checks
• Firebase Cloud Messaging (FCM) — push notification delivery; processes FCM tokens per Google's privacy policy
• Firebase Crashlytics — crash reporting and diagnostics. Crash reports may include technical device state information (device model, OS version, stack traces) necessary for debugging, but do not include personal message content or shipment data
• Firebase Analytics — aggregated usage statistics. Firebase Analytics is configured without advertising identifiers and is used exclusively for service performance measurement. Advertising ID is not collected or used
• Telegram Bot API (Telegram FZ-LLC) — used only when the user selects Telegram as their OTP delivery channel in the SP Linker profile, for delivering one-time authorization codes
• Finik (payment service provider) — when the user initiates a payment, the Application opens the Finik payment page inside an in-app web view (react-native-webview). Payment data (card details, transaction information) is collected and processed directly by Finik. We do not receive or store full payment credentials
• Operating system text-to-speech engine — when voice readout of notifications is enabled, the system TTS engine reads out shipment status messages locally on the device. The text is processed by the OS / device vendor TTS service

Firebase services do not use data for advertising purposes and do not perform cross-app tracking.

• Google LLC Privacy Policy: https://policies.google.com/privacy
• Telegram Privacy Policy: https://telegram.org/privacy

8. Data Retention

After expiration, data is securely deleted or irreversibly anonymized.

9. Data Security

We implement:

• HTTPS/TLS encryption for all data in transit
• Role-based access control for all systems
• Continuous security monitoring and intrusion detection
• Regular security assessments and vulnerability testing
• Data minimization across all collection points
• Secure encrypted backups with restricted access
• On-device data (session, FCM token, preferences) is kept inside the operating system's private application storage (Android sandbox / iOS app container), inaccessible to other applications

No internet transmission method is 100% secure. We commit to promptly investigating and remediating any reported security incidents.

10. User Rights

You have the right to:

• Access — request a copy of personal data we hold
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your personal data
• Restriction — request limitation of processing
• Withdraw consent — revoke consent at any time
• Portability — request your data in a machine-readable format

11. Account and Data Deletion

The Application does not currently provide an in-app "Delete Account" button. To request deletion of your account and associated personal data, please contact the developer:

• Email: support@smartpoint.kg
• Telegram: https://t.me/existent_dd (Smart Point support channel)

Please specify in the request the phone number used for registration so we can identify your account.

Upon receiving the request we remove: personal profile, credentials, FCM tokens, and all non-essential records. Data required by financial/tax law is retained for the legally mandated period, then securely deleted. Requests are processed within 30 calendar days.

12. Children's Privacy

The Application is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that a minor has provided personal data, we will promptly delete it. Contact: support@smartpoint.kg.

13. Changes to This Privacy Policy

When material changes are made, we will:

• Update the Effective Date at the top of this Policy
• Display an in-app notice before changes take effect
• Where required by law, seek renewed user consent

Continued use of the Application after notification constitutes acceptance of the revised Policy.

14. Contact Information

15. International Data Transfers

The Application uses third-party services operated by Google LLC and Telegram FZ-LLC, whose servers may be located outside the Kyrgyz Republic. Where personal data is transferred outside the Kyrgyz Republic, such transfers are protected by appropriate technical and contractual safeguards, including the providers' standard data processing terms and applicable data protection agreements.

Google LLC and Telegram FZ-LLC act as independent data controllers for data processed under their own privacy policies. We are not responsible for their data processing practices, which are governed exclusively by:

• Google Privacy Policy: https://policies.google.com/privacy
• Telegram Privacy Policy: https://telegram.org/privacy

We ensure that any such transfers comply with applicable data protection legislation and that personal data receives a level of protection equivalent to that required under the laws of the Kyrgyz Republic.

16. Appendix: Google Play Data Safety Reference

For internal use when completing the Data Safety section in Google Play Console.

Data Collected and Shared

Data Practices

• All data transmitted is encrypted in transit (HTTPS/TLS)
• Users can request full data deletion at: support@smartpoint.kg
• FCM tokens are deactivated on logout and deleted on account deletion
• Data is NOT sold to third parties
• Data is NOT used for advertising or cross-app tracking
• No background surveillance; technical data collected only while app is in use
• No geolocation, contacts, SMS, gallery photos, or GAID/IDFA collected
• Firebase Analytics does not use advertising identifiers (GAID/IDFA)
• Crash reports contain only technical debugging data, not personal content
• The Application stores session data and FCM tokens in private application storage only; no external file system access
• In-app WebView is used for two purposes only: (a) rendering local QR HTML, (b) opening the Finik payment page
• No automated decision-making with legal or significant effects without human review

Permissions Declared

Third-Party SDKs Declared