Legal Documents
KMS Privacy Policy
- Effective date
- April 22, 2026
- Version
- 2.0
- Last updated
- April 22, 2026
Contents
- 1. General provisions
- 2. Data controller
- 3. Joint controller model
- 4. Categories of personal data processed
- 5. Purposes and legal bases
- 6. Third parties and cross-border transfers
- 7. Retention periods
- 8. Data subject rights
- 9. Security measures
- 10. Breach notification
- 11. Processing minors' data (Art. 18)
- 12. Cookies and similar technologies
- 13. Changes to this Policy
- 14. Contacts
Legal notice. The Russian version of this document is the authoritative text. This English translation is provided for convenience and must be interpreted consistently with the Russian original.
1. General provisions
1.1. This Privacy Policy (the "Policy") governs how the KMS service (Kindergarten Management System) — a multi-tenant SaaS platform for pre-school institutions — collects, processes, stores, transfers, and protects personal data.
1.2. The Policy is based on:
- The Constitution of the Kyrgyz Republic (Art. 29 — right to privacy);
- Law of the Kyrgyz Republic No. 179 of July 31, 2025, "On Personal Data Protection" (the "Law No. 179"), effective February 6, 2026;
- Digital Code of the Kyrgyz Republic No. 178 of July 31, 2025, effective February 8, 2026;
- Laws of the Kyrgyz Republic on education, on public health, and on child rights — for data of pupils and minors;
- Labour Code and Tax Code of the Kyrgyz Republic — for staff data and retention of financial records.
1.3. By using KMS you confirm that you have read and accept this Policy. If you do not accept it, stop using the service.
1.4. This edition fully supersedes all earlier versions.
2. Data controller
2.1. Operator of the KMS service:
- Legal name: Sole Proprietor Tursunakunova Nurzhan Surapovna (OKPO 33188711, reg. no. 004-2024-169-3867 of 2024-08-20)
- Tax ID (INN): 10101198505505
- Registered address: Kyrgyz Republic, Bishkek, Pervomaisky district, Borovskoy lane 28
- Phone: +996 500 519 112
- Data protection email: [email protected]
- General support: [email protected]
- Website: https://kms-system.com
2.2. Data Protection Officer (DPO) under Art. 38 of Law No. 179: contact — [email protected].
2.3. State registry of personal data operators (Art. 20 of Law No. 179): the registration number will be published once enrollment with the State Agency for Personal Data Protection of the Kyrgyz Republic is complete.
3. Joint controller model
3.1. KMS operates under a joint controller model within the meaning of Art. 19 of Law No. 179:
| Party | Role | Area of responsibility |
|---|---|---|
| Sole Proprietor Tursunakunova Nurzhan Surapovna (OKPO 33188711, reg. no. 004-2024-169-3867 of 2024-08-20) (KMS) | Operator of the software platform | Storage, protection, and availability; technical security; breach notifications; subject rights interface |
| Kindergarten (KMS client) | Operator of educational and organisational data | Accuracy of input; parental consents; internal access control |
3.2. Allocation of responsibilities is formalised in the DPA section of the KMS Terms of Service.
3.3. A data subject may contact either party — the request will be processed jointly within statutory deadlines.
4. Categories of personal data processed
4.1. Children's data (minors — Art. 18 of Law No. 179):
| Category | Items |
|---|---|
| Identification | Full name, date of birth, gender, residential address |
| Documentary | Birth certificate number, document scans |
| Biometric (special category, Art. 8) | Child's photograph |
| Medical (special category, Art. 8) | Health group, allergies, chronic conditions, vaccination record, physician notes, medical card, incidents and injuries, physical measurements (height, weight, vision, hearing, blood pressure) |
| Educational | Group, attendance, developmental assessments, daily diary entries |
| Contextual | Emergency contacts, special notes |
4.2. Parents / legal representatives:
| Category | Items |
|---|---|
| Identification | Full name |
| Contact | Phone, email |
| Account | Relationship to child, primary representative status |
| Financial | Payment history for kindergarten services |
| Communication | Messages with kindergarten staff, notifications |
| Technical | IP address, User-Agent, login history |
4.3. Kindergarten staff:
| Category | Items |
|---|---|
| Identification | Full name, date of birth, gender, address |
| Documentary (partially special) | Passport data and scans, taxpayer ID, diplomas, employment contract |
| Biometric (special, Art. 8) | Staff photograph |
| Medical (special, Art. 8) | Medical book data |
| Professional | Position, qualification, education, tenure, certificates |
| Labour | Leaves, sick leave, schedules, salary, deductions, bonuses |
| Account | Login, role, active status |
| Technical | IP address, User-Agent, audit log |
4.4. Visitors log: visitor's name, purpose, related child, check-in / check-out, ID document.
4.5. Waiting list: child's name, date of birth, parent's name and contacts.
5. Purposes and legal bases
5.1. Processing is limited to the purposes listed below on one of the legal bases of Art. 5 of Law No. 179:
| Purpose | Categories | Legal basis |
|---|---|---|
| User identification and authentication | Account, contact | Performance of contract (Art. 5(2)) |
| Delivery of KMS services | All, by purpose | Performance of contract |
| Enrollment and registration of a child | Children's, parents' | Consent of legal representative (Art. 9 + 18) |
| Educational services | Educational, attendance | Education law (Art. 5(4)) |
| Safeguarding the child's health | Medical, allergies | Consent + vital interests (Art. 5(6), Art. 8) |
| Payment for services | Financial | Contract + Tax Code |
| Personnel administration | Staff | Labour Code (Art. 5(4)) |
| Tax and accounting | Financial | Tax Code (Art. 5(4)) |
| System security | Technical (IP, User-Agent, logs) | Legitimate interests (Art. 5(5)) |
| Communication | Communication | Contract |
5.2. Processing of special categories (medical, biometric, minors' data — Art. 8 + 18) requires explicit and separate consent obtained via the KMS consent interface. No consent — no processing.
5.3. We do not use personal data for direct marketing, profiling, or transfers to third parties for advertising.
6. Third parties and cross-border transfers
6.1. Storage: all data are stored on the operator's own infrastructure physically located within the Kyrgyz Republic. No transfer outside KR occurs except as stated in 6.2.
6.2. Unavoidable cross-border transfers (Art. 32 of Law No. 179):
| Recipient | Country | Data | Purpose | Basis |
|---|---|---|---|---|
| Google LLC (Google OAuth) | USA | Google profile email and name (at login) | User authentication | Consent expressed by clicking "Sign in with Google" |
| Cloudflare, Inc. (Cloudflare Tunnel) | Global CDN/proxy | IP address, User-Agent, HTTP metadata (in transit, no storage) | HTTPS delivery and DDoS protection | Legitimate interests |
6.3. We do not transfer personal data to third parties for commercial or advertising purposes. Transfers to state authorities occur only in cases mandated by law.
6.4. We do not use Supabase, Vercel, Amazon Web Services, Google Cloud or other foreign cloud storage for user personal data.
7. Retention periods
7.1. Under Art. 34 of Law No. 179 data are kept no longer than necessary.
| Category | Retention | Basis |
|---|---|---|
| Active users | Duration of agreement | Contract |
| After account deletion | 30-day grace, then destroyed | Technical recovery + Art. 34 |
| Financial documents | 5 years from year of payment | Tax Code |
| Staff employment records | 75 years (archival) | Labour Code, archival law |
| Audit logs | 3 years | Legitimate interests |
| Backups | 90 days | Recovery |
| Consent records | Validity period + 3 years after withdrawal | Proof of lawfulness |
7.2. After expiry, data are destroyed within two weeks with an internal destruction act.
7.3. Destruction applies to all copies: primary DB, backups (once their own retention expires), local caches.
8. Data subject rights
8.1. Under Arts. 10–13, 23 of Law No. 179 a data subject may:
- Obtain information about processing — response within 14 days (Art. 10);
- Request correction of inaccurate or incomplete data — applied within 7 days (Arts. 13, 35);
- Request deletion ("right to be forgotten") if no other legal basis remains — within 7 days (Art. 23);
- Withdraw consent at any time via the KMS interface or by emailing [email protected];
- Object to processing for direct marketing or third-party transfers (Art. 12);
- Complain to the State Agency for Personal Data Protection — https://dpa.gov.kg.
8.2. Send requests to [email protected] with proof of identity (to prevent unauthorised access to third-party data).
8.3. Withdrawing a legal representative's consent to processing a child's data makes continued KMS service provision technically impossible.
9. Security measures
9.1. The operator applies the following technical and organisational safeguards:
Technical:
- Transport encryption: TLS 1.3, HSTS, HTTP → HTTPS redirect;
- Session protection: httpOnly + Secure + SameSite cookies, short-lived JWT;
- CSRF defence: double-submit cookie pattern on all mutations;
- Brute-force and scanning protection: rate limiting, honeypot endpoints, 24-hour IP ban on suspicious activity;
- Tenant isolation: application-layer filtering by
kindergarten_idon every query; - Audit: append-only
audit_logstable with DB-level update/delete locks; - Backups: encrypted automated snapshots;
- Anomaly monitoring.
Organisational:
- Minimisation: only data needed for a specific purpose;
- Access segregation: 10-role RBAC;
- Session control: automatic logout after inactivity;
- Staff training on data protection;
- Periodic access reviews;
- Logging of critical operations.
9.2. No system can guarantee 100 % protection. The operator will react to incidents per section 10.
10. Breach notification
10.1. Under Art. 37 of Law No. 179:
- The operator notifies the State Agency for Personal Data Protection within 72 hours of detection;
- Where the breach poses a high risk to subjects, they are notified as soon as practicable via email / in-app;
- A processor notifies the operator within 48 hours;
- The notice includes: nature, affected categories and volume, expected consequences, measures taken.
10.2. The operator maintains an internal register of incidents.
11. Processing minors' data (Art. 18)
11.1. KMS processes data of children aged 0–10. All decisions are made by the legal representative.
11.2. Prior to processing the operator obtains electronic consent via the parent's KMS account.
11.3. Four consent blocks (table parent_consents):
- General processing of child's data (
data_processing) — required; - Medical data (
medical_data) — required for enrollment; - Photograph usage (
photo_usage) — optional; - Emergency medical care (
emergency_treatment) — required.
11.4. The consent text is published at /{locale}/legal/parent-consent.
11.5. Minors' data are not used for automated decision-making, profiling, or transfers outside educational and medical purposes.
12. Cookies and similar technologies
12.1. KMS uses strictly necessary cookies only. No advertising or analytics cookies.
12.2. The full cookie list is at /{locale}/legal/cookies.
12.3. Separate cookie consent is not required because all cookies are essential to deliver the requested service.
13. Changes to this Policy
13.1. The current version is published at https://kms-system.com/{locale}/privacy.
13.2. Material changes (new data categories, new recipients, retention changes) are notified:
- Via in-app notices;
- Via user email (where available);
- At least 14 days in advance.
13.3. Continued use after the effective date indicates acceptance of the new version.
14. Contacts
- DPO email: [email protected]
- Support email: [email protected]
- Website: https://kms-system.com
- Regulator: State Agency for Personal Data Protection — https://dpa.gov.kg
