1. Purpose and Legal Basis
This policy governs the collection, processing, storage, and protection of personal data of users of the website s2g.kz (hereinafter — the Website).
Personal data is processed in accordance with the Law of the Republic of Kazakhstan On Personal Data and Their Protection dated 21 May 2013, No. 94-V (hereinafter — the Law).
2. Personal Data Controller
Controller details (legal entity name, BIN, registered address) will be published in an updated revision of this Policy upon completion of registration procedures. Until then, requests related to personal data processing and the exercise of data subject rights are directed to the contact email address:
- Contact email: info@s2g.kz
- Compliance contact: compliance@s2g.kz
3. Categories of Personal Data Processed
The controller processes the following categories of personal data:
3.1. Retail order form (shopping cart)
- Buyer full name
- Phone number
- Email address
- Order comment (if provided)
- Order contents: book identifiers, quantities, prices at the time of order placement
3.2. B2B request form (wholesale, schools, marketplaces)
- Organisation name and legal form
- Region (oblast / city)
- Full name of the contact person
- Email address of the contact person
- Phone number of the contact person
- Request text
- Attached file or document link (if provided)
- IP address and browser User-Agent string at the time of submission
3.3. Author / publisher application form
- Author full name
- Email address
- Phone number
- Manuscript title
- Manuscript synopsis
- Manuscript file or link (if provided)
- IP address and browser User-Agent string at the time of submission
3.4. Data protection request form (compliance)
- Full name (if provided)
- Email address
- Phone number (if provided)
- Request subject (complaint, ethics violation, data access request, other)
- Request text
- Attached file (if provided)
- IP address and browser User-Agent string at the time of submission
- Version of the privacy policy in effect at the time of submission
3.5. Technical data (collected automatically)
- Visitor IP address
- Browser type and version (User-Agent)
- Page visit data transmitted to the Yandex Metrica web analytics service
4. Purposes of Processing
| Purpose | Data categories |
|---|---|
| Processing and fulfilment of retail orders | Sect. 3.1 |
| Review of B2B requests and negotiations | Sect. 3.2 |
| Review of author and publisher applications | Sect. 3.3 |
| Handling data protection requests | Sect. 3.4 |
| Website traffic analysis and improvement | Sect. 3.5 |
| Compliance with the legislation of the Republic of Kazakhstan | All sections |
5. Legal Bases for Processing
- Data subject consent (Art. 8 of the Law): when submitting any form on the Website, the user ticks the checkbox confirming acceptance of this policy. The version of the policy in effect at the time of consent is recorded in the database together with the date and time of submission.
- Performance of a contract (Art. 8 of the Law): processing of retail order data is necessary to fulfil obligations to the buyer.
- Legitimate interests of the controller (Art. 8 of the Law): processing of technical data (IP address, User-Agent) to ensure Website security and prevent fraudulent activity.
6. Retention Periods
| Data category | Retention period |
|---|---|
| Retail order data | Order fulfilment period + 5 years (per RK tax legislation) |
| B2B request data | Request review period + 5 years |
| Author application data | Request review period + 3 years |
| Data protection request data | 5 years from the date of submission |
| Session cookies (laravel_session, XSRF-TOKEN) | 120 minutes (session lifetime) |
| Analytics data (Yandex Metrica) | Per Yandex Metrica data retention policy (up to 24 months) |
Upon expiry of the retention period, personal data is deleted or anonymised.
7. Transfer of Personal Data to Third Parties
The controller transfers personal data to the following categories of recipients:
7.1. Yandex Metrica (Yandex LLC, Russian Federation)
The Website uses the Yandex Metrica counter. Yandex Metrica receives: the visitor IP address, User-Agent string, URLs of visited pages, and user interaction events (e.g. catalogue browsing, cart interactions). Data is transferred on the basis of user consent. Yandex Privacy Policy: https://yandex.ru/legal/confidential/
7.2. Hosting provider ps.kz (Republic of Kazakhstan)
The Website is hosted on servers of ps.kz. Personal data is stored on servers located within the territory of the Republic of Kazakhstan.
7.3. Email infrastructure of hosting provider ps.kz
Built-in SMTP infrastructure of the hosting provider ps.kz (Republic of Kazakhstan) is used to send notifications and confirmations — mail servers located within the territory of the Republic of Kazakhstan and integrated with the Website hosting servers. External email services (Mailgun, SendGrid, etc.) are not used. Personal data is not transferred outside the Republic of Kazakhstan in the part related to email notifications. The email service receives only the recipient email address and the content of the relevant notification.
Personal data is not transferred to any other parties without the data subject consent, except as expressly required by the legislation of the Republic of Kazakhstan.
8. Rights of the Data Subject
Under the Law, the data subject has the right to:
- obtain information about the personal data being processed and about the controller (Art. 14);
- request correction of personal data that is inaccurate or outdated (Art. 22);
- request cessation of processing and / or deletion of personal data in cases provided by the Law (Art. 21);
- withdraw consent to personal data processing; withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal;
- lodge a complaint with the competent authority — the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan.
To exercise your rights, use the form at s2g.kz/legal/compliance or contact: compliance@s2g.kz.
9. Cookies and Analytics
9.1. Cookies set by the Website
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
| laravel_session | Session cookie | User session identification | 120 minutes |
| XSRF-TOKEN | Session cookie | Cross-site request forgery (CSRF) protection | 120 minutes |
9.2. Browser local storage (localStorage)
| Name | Purpose |
|---|---|
| bookstore.cart.v1 | Storing the buyer cart contents in the browser |
bookstore.cart.v1 data is not sent to the server automatically and is not a cookie. It is deleted when the user clears site data in the browser.
9.3. Analytics cookies (Yandex Metrica)
Yandex Metrica sets its own cookies to identify unique visitors and collect traffic statistics. For a list of Yandex Metrica cookies, see: https://yandex.ru/legal/confidential/
9.4. Managing cookies
You may disable cookies in your browser settings. Disabling session cookies (laravel_session, XSRF-TOKEN) will prevent the use of Website forms. Disabling analytics cookies does not affect Website functionality.
10. Data Protection Measures
To protect personal data, the controller applies the following measures:
- data transmission between the user browser and the server is carried out using TLS 1.2 or higher;
- user sessions are encrypted and have a limited lifetime (120 minutes);
- access to the database and administrator panel is restricted to authorised personnel only;
- login events and administrator actions are recorded in an audit log;
- files uploaded by users through forms are validated for type and size before storage.
11. Contact Information
For questions regarding the processing of personal data, the exercise of data subject rights, and other matters relating to this policy, please contact:
- Via the form on the Website: s2g.kz/legal/compliance
- By email: compliance@s2g.kz
The controller will respond to requests within 10 business days of receipt.
12. Changes to This Policy
The controller may update this policy. When changes are made, the document version number is incremented. The current version is always available at s2g.kz/legal/privacy-policy.
When users resubmit forms on the Website after a policy update, they confirm acceptance of the updated version. The version of the policy under which consent was given is recorded in the database together with the date and time of submission.
The specific revision date is not indicated — the operational identifier is the version number. Upon significant changes, the version is increased (1.0 → 1.1 for clarifications / 1.0 → 2.0 for substantial revisions).