Privacy Policy · Donista

1. Introduction and scope

Donista is a mobile application that lets you book a place in the queue at participating bank and telecom offices in Uzbekistan. This Privacy Policy explains what personal data we collect, why we collect it, who we share it with, and what rights you have over your data. It covers the Donista mobile app and the donista.uz website (together, the “Service”).We collect the minimum personal data we need to operate the Service. We do not sell user data to anyone.This policy is being prepared in accordance with Uzbekistan’s Personal Data Law (Law of the Republic of Uzbekistan No. ZRU-547, as amended). The exact language is being finalized by Donista’s legal team to ensure full compliance with Uzbek regulatory requirements and will be updated before launch.

2. What data Donista collects

Data you provide directly• Phone number — required to create an account and authenticate you.• Region — selected at first launch so we can show you nearby Offices. You can change this later in settings.• Name — optional. If you choose to provide it, we use it to personalize your experience and, if needed, to help partner Offices identify you.Data collected automatically• Booking history — which Offices, service types, dates, and times you book.• Transaction history — records of top-ups, Deposits, refunds, forfeits, and fees.• Device information — device type, operating system version, and app version, used for diagnostics, security, and service improvement.• Approximate location — only if you grant location permission. Used to show Offices near you. We do not track your precise location when the app is closed.Data received from partners• When you make a Booking, the partner Office’s QMS sends us confirmation of your queue position and arrival status so we can update your place in the queue and process your Deposit refund.

3. Why each category is collected

• Phone number — to authenticate you when you log in and to send you notifications about your queue position.• Region — to show you Offices available in your area.• Name — to personalize your in-app experience and, if requested by a partner Office, to help staff identify you when you arrive.• Booking history — to operate the Service, show you your past Bookings, and (on an aggregated and anonymized basis) to provide analytics to partner Offices.• Transaction history — to operate the balance system, process refunds, maintain audit trails, and comply with accounting requirements.• Device information — for diagnostics when something goes wrong, security monitoring, and improving the app across different devices.• Approximate location — to show Offices near you, only when you have granted permission.None of this data is used for advertising. None of it is sold to third parties.

4. Who we share data with

Partner officesWhen you make a Booking at a partner Office, that Office’s QMS receives the information it needs to manage the queue: your Booking time, the service type you selected, and your queue position. Partner Offices do not receive your transaction history, your Bookings at other Offices, or aggregated data about your behavior outside their Office.Payment providersWhen you top up your balance through Click, Payme, Uzcard, Humo, or another supported payment provider, that provider receives the information needed to process the transaction. Donista does not store full payment card details — we keep only the transaction reference returned by the provider.Infrastructure providersWe use cloud infrastructure services and push notification providers (such as Firebase Cloud Messaging or equivalent) to operate the Service. These providers process data on our behalf under contractual terms that require them to protect your data.Law enforcement and regulatorsWe may disclose your data if we are legally required to do so under Uzbek law, such as in response to a valid court order or request from a regulatory authority.What we do not doDonista does not sell user data to advertisers, data brokers, marketing companies, or any other third party. Period.

5. How long we retain data

We retain your personal data only as long as necessary to provide the Service and to meet legal and regulatory requirements. The specific retention periods are:• Account data (phone number, balances, Bookings): retained while your account is active and for a period after closure as required by Uzbek accounting and legal requirements. The exact post-closure period will be confirmed with legal counsel.• Transaction records (top-ups, Deposits, refunds, forfeits): retained for the period required by Uzbek financial record-keeping rules. The exact duration depends on applicable law and will be confirmed before launch.• Diagnostic and device data (device type, OS version, app version): retained for a shorter period, typically 90 days, after which it is either deleted or aggregated so it can no longer identify you.

6. Where data is stored

Draft — pending legal review: Donista is committed to compliance with Uzbekistan’s data localization requirements under the Personal Data Law. We are finalizing infrastructure decisions to ensure that personal data of Uzbek users is stored on servers located in Uzbekistan where required by law. The full statement of storage locations and providers will appear here before launch.

7. Your rights

Under Uzbek data protection law, you have the following rights regarding your personal data:• The right to know what personal data Donista holds about you.• The right to correction — you can ask us to correct inaccurate or incomplete data.• The right to deletion — you can ask us to delete your personal data, subject to legal requirements that may require us to retain certain records (such as transaction history for accounting and regulatory compliance).• The right to withdraw consent — for optional data processing, such as location access. Withdrawing consent may limit some features (for example, showing nearby Offices).• The right to lodge a complaint — with the appropriate Uzbek data protection authority.To exercise any of these rights, please contact us using the information in Section 12. We will respond to your request promptly and within the timeframes required by applicable law.

8. Security measures

We take the security of your data seriously. The following measures are in place to protect it:• Phone number authentication — with SMS one-time codes. OTP requests are rate-limited to prevent brute-force attacks.• SIM-swap protection — your Balance is frozen for 24 hours after a phone number change.• QR and override code security — QR codes and override codes rotate daily and are scoped per Office. Override code attempts are rate-limited and monitored for anomalous usage.• Encryption — data in transit is encrypted using HTTPS. Data at rest is encrypted using industry-standard methods.• Internal access controls — only Donista personnel who need access to specific data for their role are granted access.• Incident response — if a security incident affects your data, we will notify you as required by Uzbek law.Donista does not currently hold certifications such as ISO 27001 or SOC 2. We use security measures that are appropriate for a pre-launch company and will strengthen them as the Service grows.

9. Cookies and analytics on this website

The donista.uz website currently does not use third-party analytics, advertising trackers, or cross-site tracking cookies. We do not collect or process browsing behavior for marketing purposes.The website may use essential first-party cookies for basic functionality, such as remembering user interface state (for example, which section of an accordion is open). These cookies do not track you across sites and do not collect personal information.If Donista later adds first-party web analytics (such as Plausible, Fathom, or a self-hosted solution), this section will be updated and a notice will be added to the website at that time.

10. Children’s data

Donista is not directed at children. Accounts are available only to users who are of legal age in Uzbekistan.We do not knowingly collect personal data from minors. If we become aware that a minor has created an account, we will close the account and delete the associated data in accordance with applicable law.

11. Changes to this policy

Donista may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app, by SMS, or by email if you have provided one.The “Last updated” date at the top of this page indicates when the most recent changes were made. If you continue to use the Service after a change takes effect, you are indicating that you accept the updated policy.If you do not agree with a change, you may close your account (see Section 3 of the Terms of Service).

12. Contact for privacy questions

If you have questions about this Privacy Policy or wish to exercise your data protection rights, you can contact Donista by email at akmaljon9080@gmail.com. Please note that this is a general contact address and will be replaced with a dedicated privacy contact (such as privacy@donista.com) once the company has been registered and operationalized.Donista is a pre-launch company in the process of registration. Our legal entity name and registered address are:[Legal entity name to be confirmed]Registered in the Republic of Uzbekistan.Registered address: [to be confirmed upon company registration]If you wish to lodge a complaint about our handling of your personal data, you may contact the relevant Uzbek data protection authority:[Data protection authority name and contact — to be confirmed by Donista’s legal team]