All documents

Legal Documents

KMS Privacy Policy

Effective date
April 22, 2026
Version
2.0
Last updated
April 22, 2026
Contents
  1. 1. General provisions
  2. 2. Data controller
  3. 3. Joint controller model
  4. 4. Categories of personal data processed
  5. 5. Purposes and legal bases
  6. 6. Third parties and cross-border transfers
  7. 7. Retention periods
  8. 8. Data subject rights
  9. 9. Security measures
  10. 10. Breach notification
  11. 11. Processing minors' data (Art. 18)
  12. 12. Cookies and similar technologies
  13. 13. Changes to this Policy
  14. 14. Contacts

Legal notice. The Russian version of this document is the authoritative text. This English translation is provided for convenience and must be interpreted consistently with the Russian original.


1. General provisions

1.1. This Privacy Policy (the "Policy") governs how the KMS service (Kindergarten Management System) — a multi-tenant SaaS platform for pre-school institutions — collects, processes, stores, transfers, and protects personal data.

1.2. The Policy is based on:

  • The Constitution of the Kyrgyz Republic (Art. 29 — right to privacy);
  • Law of the Kyrgyz Republic No. 179 of July 31, 2025, "On Personal Data Protection" (the "Law No. 179"), effective February 6, 2026;
  • Digital Code of the Kyrgyz Republic No. 178 of July 31, 2025, effective February 8, 2026;
  • Laws of the Kyrgyz Republic on education, on public health, and on child rights — for data of pupils and minors;
  • Labour Code and Tax Code of the Kyrgyz Republic — for staff data and retention of financial records.

1.3. By using KMS you confirm that you have read and accept this Policy. If you do not accept it, stop using the service.

1.4. This edition fully supersedes all earlier versions.


2. Data controller

2.1. Operator of the KMS service:

  • Legal name: Sole Proprietor Tursunakunova Nurzhan Surapovna (OKPO 33188711, reg. no. 004-2024-169-3867 of 2024-08-20)
  • Tax ID (INN): 10101198505505
  • Registered address: Kyrgyz Republic, Bishkek, Pervomaisky district, Borovskoy lane 28
  • Phone: +996 500 519 112
  • Data protection email: [email protected]
  • General support: [email protected]
  • Website: https://kms-system.com

2.2. Data Protection Officer (DPO) under Art. 38 of Law No. 179: contact — [email protected].

2.3. State registry of personal data operators (Art. 20 of Law No. 179): the registration number will be published once enrollment with the State Agency for Personal Data Protection of the Kyrgyz Republic is complete.


3. Joint controller model

3.1. KMS operates under a joint controller model within the meaning of Art. 19 of Law No. 179:

PartyRoleArea of responsibility
Sole Proprietor Tursunakunova Nurzhan Surapovna (OKPO 33188711, reg. no. 004-2024-169-3867 of 2024-08-20) (KMS)Operator of the software platformStorage, protection, and availability; technical security; breach notifications; subject rights interface
Kindergarten (KMS client)Operator of educational and organisational dataAccuracy of input; parental consents; internal access control

3.2. Allocation of responsibilities is formalised in the DPA section of the KMS Terms of Service.

3.3. A data subject may contact either party — the request will be processed jointly within statutory deadlines.


4. Categories of personal data processed

4.1. Children's data (minors — Art. 18 of Law No. 179):

CategoryItems
IdentificationFull name, date of birth, gender, residential address
DocumentaryBirth certificate number, document scans
Biometric (special category, Art. 8)Child's photograph
Medical (special category, Art. 8)Health group, allergies, chronic conditions, vaccination record, physician notes, medical card, incidents and injuries, physical measurements (height, weight, vision, hearing, blood pressure)
EducationalGroup, attendance, developmental assessments, daily diary entries
ContextualEmergency contacts, special notes

4.2. Parents / legal representatives:

CategoryItems
IdentificationFull name
ContactPhone, email
AccountRelationship to child, primary representative status
FinancialPayment history for kindergarten services
CommunicationMessages with kindergarten staff, notifications
TechnicalIP address, User-Agent, login history

4.3. Kindergarten staff:

CategoryItems
IdentificationFull name, date of birth, gender, address
Documentary (partially special)Passport data and scans, taxpayer ID, diplomas, employment contract
Biometric (special, Art. 8)Staff photograph
Medical (special, Art. 8)Medical book data
ProfessionalPosition, qualification, education, tenure, certificates
LabourLeaves, sick leave, schedules, salary, deductions, bonuses
AccountLogin, role, active status
TechnicalIP address, User-Agent, audit log

4.4. Visitors log: visitor's name, purpose, related child, check-in / check-out, ID document.

4.5. Waiting list: child's name, date of birth, parent's name and contacts.


5.1. Processing is limited to the purposes listed below on one of the legal bases of Art. 5 of Law No. 179:

PurposeCategoriesLegal basis
User identification and authenticationAccount, contactPerformance of contract (Art. 5(2))
Delivery of KMS servicesAll, by purposePerformance of contract
Enrollment and registration of a childChildren's, parents'Consent of legal representative (Art. 9 + 18)
Educational servicesEducational, attendanceEducation law (Art. 5(4))
Safeguarding the child's healthMedical, allergiesConsent + vital interests (Art. 5(6), Art. 8)
Payment for servicesFinancialContract + Tax Code
Personnel administrationStaffLabour Code (Art. 5(4))
Tax and accountingFinancialTax Code (Art. 5(4))
System securityTechnical (IP, User-Agent, logs)Legitimate interests (Art. 5(5))
CommunicationCommunicationContract

5.2. Processing of special categories (medical, biometric, minors' data — Art. 8 + 18) requires explicit and separate consent obtained via the KMS consent interface. No consent — no processing.

5.3. We do not use personal data for direct marketing, profiling, or transfers to third parties for advertising.


6. Third parties and cross-border transfers

6.1. Storage: all data are stored on the operator's own infrastructure physically located within the Kyrgyz Republic. No transfer outside KR occurs except as stated in 6.2.

6.2. Unavoidable cross-border transfers (Art. 32 of Law No. 179):

RecipientCountryDataPurposeBasis
Google LLC (Google OAuth)USAGoogle profile email and name (at login)User authenticationConsent expressed by clicking "Sign in with Google"
Cloudflare, Inc. (Cloudflare Tunnel)Global CDN/proxyIP address, User-Agent, HTTP metadata (in transit, no storage)HTTPS delivery and DDoS protectionLegitimate interests

6.3. We do not transfer personal data to third parties for commercial or advertising purposes. Transfers to state authorities occur only in cases mandated by law.

6.4. We do not use Supabase, Vercel, Amazon Web Services, Google Cloud or other foreign cloud storage for user personal data.


7. Retention periods

7.1. Under Art. 34 of Law No. 179 data are kept no longer than necessary.

CategoryRetentionBasis
Active usersDuration of agreementContract
After account deletion30-day grace, then destroyedTechnical recovery + Art. 34
Financial documents5 years from year of paymentTax Code
Staff employment records75 years (archival)Labour Code, archival law
Audit logs3 yearsLegitimate interests
Backups90 daysRecovery
Consent recordsValidity period + 3 years after withdrawalProof of lawfulness

7.2. After expiry, data are destroyed within two weeks with an internal destruction act.

7.3. Destruction applies to all copies: primary DB, backups (once their own retention expires), local caches.


8. Data subject rights

8.1. Under Arts. 10–13, 23 of Law No. 179 a data subject may:

  • Obtain information about processing — response within 14 days (Art. 10);
  • Request correction of inaccurate or incomplete data — applied within 7 days (Arts. 13, 35);
  • Request deletion ("right to be forgotten") if no other legal basis remains — within 7 days (Art. 23);
  • Withdraw consent at any time via the KMS interface or by emailing [email protected];
  • Object to processing for direct marketing or third-party transfers (Art. 12);
  • Complain to the State Agency for Personal Data Protection — https://dpa.gov.kg.

8.2. Send requests to [email protected] with proof of identity (to prevent unauthorised access to third-party data).

8.3. Withdrawing a legal representative's consent to processing a child's data makes continued KMS service provision technically impossible.


9. Security measures

9.1. The operator applies the following technical and organisational safeguards:

Technical:

  • Transport encryption: TLS 1.3, HSTS, HTTP → HTTPS redirect;
  • Session protection: httpOnly + Secure + SameSite cookies, short-lived JWT;
  • CSRF defence: double-submit cookie pattern on all mutations;
  • Brute-force and scanning protection: rate limiting, honeypot endpoints, 24-hour IP ban on suspicious activity;
  • Tenant isolation: application-layer filtering by kindergarten_id on every query;
  • Audit: append-only audit_logs table with DB-level update/delete locks;
  • Backups: encrypted automated snapshots;
  • Anomaly monitoring.

Organisational:

  • Minimisation: only data needed for a specific purpose;
  • Access segregation: 10-role RBAC;
  • Session control: automatic logout after inactivity;
  • Staff training on data protection;
  • Periodic access reviews;
  • Logging of critical operations.

9.2. No system can guarantee 100 % protection. The operator will react to incidents per section 10.


10. Breach notification

10.1. Under Art. 37 of Law No. 179:

  • The operator notifies the State Agency for Personal Data Protection within 72 hours of detection;
  • Where the breach poses a high risk to subjects, they are notified as soon as practicable via email / in-app;
  • A processor notifies the operator within 48 hours;
  • The notice includes: nature, affected categories and volume, expected consequences, measures taken.

10.2. The operator maintains an internal register of incidents.


11. Processing minors' data (Art. 18)

11.1. KMS processes data of children aged 0–10. All decisions are made by the legal representative.

11.2. Prior to processing the operator obtains electronic consent via the parent's KMS account.

11.3. Four consent blocks (table parent_consents):

  • General processing of child's data (data_processing) — required;
  • Medical data (medical_data) — required for enrollment;
  • Photograph usage (photo_usage) — optional;
  • Emergency medical care (emergency_treatment) — required.

11.4. The consent text is published at /{locale}/legal/parent-consent.

11.5. Minors' data are not used for automated decision-making, profiling, or transfers outside educational and medical purposes.


12. Cookies and similar technologies

12.1. KMS uses strictly necessary cookies only. No advertising or analytics cookies.

12.2. The full cookie list is at /{locale}/legal/cookies.

12.3. Separate cookie consent is not required because all cookies are essential to deliver the requested service.


13. Changes to this Policy

13.1. The current version is published at https://kms-system.com/{locale}/privacy.

13.2. Material changes (new data categories, new recipients, retention changes) are notified:

  • Via in-app notices;
  • Via user email (where available);
  • At least 14 days in advance.

13.3. Continued use after the effective date indicates acceptance of the new version.


14. Contacts