This Personal Data Processing Policy has been drawn up in accordance with the requirements of Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data” (hereinafter referred to as the “Personal Data Law”) and defines the procedure for processing personal data and the measures implemented by “DAO AIR ENERGY” to ensure the security of personal data.
1.1. The Operator considers the observance of human and civil rights and freedoms in the processing of personal data, including the protection of the right to privacy and personal and family confidentiality, to be its most important objective and condition for carrying out its activities.
1.2. This Operator’s Policy regarding the processing of personal data (hereinafter referred to as the “Policy”) applies to all information that the Operator may obtain about visitors to the website https://healthyair.uz/en.

2.1. Automated processing of personal data — the processing of personal data using computer technology.
2.2. Blocking of personal data — the temporary suspension of the processing of personal data (except where processing is required to clarify personal data).
https://healthyair.uz/en.
2.4. Personal data information system — a set of personal data contained in databases and the information technologies and technical means ensuring their processing.
2.5. Depersonalisation of personal data — actions as a result of which it becomes impossible, without the use of additional information, to determine the affiliation of personal data to a specific User or another subject of personal data.
2.6. Processing of personal data — any action (operation) or set of actions (operations) performed using automation tools or without the use of such tools with personal data, including collection, recording, systematisation, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalisation, blocking, deletion, and destruction of personal data.
2.7. Operator — a state authority, municipal authority, legal entity, or individual who independently or jointly with other persons organises and/or carries out the processing of personal data, as well as determines the purposes of processing of personal data, the composition of personal data subject to processing, and the actions (operations) performed with personal data.
2.8. Personal data — any information relating directly or indirectly to a specific or identifiable User of the website (https://healthyair.uz/en).
2.9. Personal data authorised by the subject of personal data for dissemination — personal data to which access by an unlimited number of persons is granted by the subject of personal data by giving consent to the processing of personal data authorised for dissemination in the manner prescribed by the Law on Personal Data (hereinafter — personal data authorised for dissemination).
2.10. User — any visitor to the website (https://healthyair.uz/en).
2.11. Provision of personal data — actions aimed at disclosure of personal data to a specific person or a specific group of persons.
2.12. Dissemination of personal data — any actions aimed at disclosure of personal data to an indefinite group of persons (transfer of personal data) or at familiarisation of an unlimited group of persons with personal data, including publication of personal data in mass media, placement in information and telecommunication networks, or provision of access to personal data by any other means.
2.13. Cross-border transfer of personal data — transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual, or a foreign legal entity.
2.14. Destruction of personal data — any actions as a result of which personal data are irreversibly destroyed with the impossibility of further restoration of the content of personal data in an information system of personal data and/or material carriers of personal data are destroyed.

3.1. The Operator has the right to:
3.1.1. receive from the subject of personal data reliable information and/or documents containing personal data;
3.1.2. in the event of withdrawal by the subject of personal data of consent to the processing of personal data, as well as submission of a request to terminate processing of personal data, the Operator has the right to continue processing personal data without the consent of the subject of personal data if there are grounds specified in the Law on Personal Data;
3.1.3. independently determine the composition and list of measures necessary and sufficient to ensure fulfilment of obligations provided for by the Law on Personal Data and regulatory legal acts adopted in accordance with it, unless otherwise provided by the Law on Personal Data or other state laws.
3.2. The Operator is obliged to:
3.2.1. provide the subject of personal data, upon request, with information relating to the processing of their personal data;
3.2.2. organise the processing of personal data in the manner established by the current legislation of the Republic of Uzbekistan;
3.2.3. respond to appeals and requests of subjects of personal data and their legal representatives in accordance with the requirements of the Law on Personal Data;
3.2.4. inform the authorised body for protection of the rights of subjects of personal data, upon request of this body, with the necessary information within 10 days from the date of receipt of such request;
3.2.5. publish or otherwise ensure unrestricted access to this Policy regarding the processing of personal data;
3.2.6. take legal, organisational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions in relation to personal data;
3.2.7. terminate transfer (dissemination, provision, access) of personal data, terminate processing and destroy personal data in the manner and cases provided for by the Law on Personal Data;
3.2.8. fulfil other obligations provided for by the Law on Personal Data.

4.1. Subjects of personal data have the right to:
4.1.1. receive information relating to the processing of their personal data, except in cases provided for by state laws. Information is provided to the subject of personal data by the Operator in an accessible form and must not contain personal data relating to other subjects of personal data, except in cases where there are lawful grounds for disclosure of such personal data. The list of information and the procedure for obtaining it are established by the Law on Personal Data;
4.1.2. demand from the Operator clarification of their personal data, blocking or destruction thereof if the personal data are incomplete, outdated, inaccurate, unlawfully obtained or not necessary for the stated purpose of processing, as well as take measures provided for by law to protect their rights;
4.1.3. put forward a condition of obtaining prior consent when processing personal data for the purpose of promotion of goods, works and services on the market;
4.1.4. withdraw consent to the processing of personal data, as well as submit a request to terminate processing of personal data;
4.1.5. appeal unlawful actions or inaction of the Operator when processing their personal data to the authorised body for protection of the rights of subjects of personal data or in court;
4.1.6. exercise other rights provided for by the legislation of the Republic of Uzbekistan.
4.2. Subjects of personal data are obliged to:
4.2.1. provide the Operator with accurate data about themselves;
4.2.2. notify the Operator of clarification (updating, modification) of their personal data.
4.3. Persons who provided the Operator with inaccurate information about themselves or information about another subject of personal data without the consent of the latter shall bear liability in accordance with the legislation of the Republic of Uzbekistan.

5.1. Processing of personal data is carried out on a lawful and fair basis.
5.2. Processing of personal data is limited to achieving specific, predetermined and lawful purposes. Processing of personal data incompatible with the purposes of collection of personal data is not permitted.
5.3. Combining databases containing personal data, the processing of which is carried out for purposes incompatible with each other, is not permitted.
5.4. Only personal data that correspond to the purposes of their processing are subject to processing.
5.5. The content and volume of processed personal data correspond to the stated purposes of processing. Excessiveness of processed personal data in relation to the stated purposes of their processing is not permitted.
5.6. When processing personal data, accuracy of personal data, their sufficiency and, where necessary, relevance in relation to the purposes of processing are ensured. The Operator takes necessary measures and/or ensures their adoption to remove or clarify incomplete or inaccurate data.
5.7. Storage of personal data is carried out in a form allowing identification of the subject of personal data no longer than required by the purposes of processing, unless the storage period is established by law or by a contract to which the subject of personal data is a party, beneficiary or guarantor. Processed personal data are destroyed or depersonalised upon achievement of processing purposes or in case of loss of necessity to achieve these purposes, unless otherwise provided by state law.

7.1. Processing of personal data is carried out with the consent of the subject of personal data to the processing of their personal data.
7.2. Processing of personal data is necessary to achieve the purposes provided for by an international treaty of the Republic of Uzbekistan or by law, for the exercise of functions, powers and obligations imposed on the Operator by legislation of the Republic of Uzbekistan.
7.3. Processing of personal data is necessary for the administration of justice, execution of a judicial act, act of another body or official subject to execution in accordance with the legislation of the Republic of Uzbekistan on enforcement proceedings.
7.4. Processing of personal data is necessary for the performance of a contract to which the subject of personal data is a party or beneficiary or guarantor, as well as for concluding a contract at the initiative of the subject of personal data or a contract under which the subject of personal data will be a beneficiary or guarantor.
7.5. Processing of personal data is necessary to exercise the rights and legitimate interests of the Operator or third parties or to achieve socially significant purposes, provided that the rights and freedoms of the subject of personal data are not violated.
7.6. Processing of personal data is carried out, access to which is provided to an unlimited number of persons by the subject of personal data or at their request (hereinafter — publicly available personal data).
7.7. Processing of personal data subject to publication or mandatory disclosure in accordance with law is carried out.

Security of personal data processed by the Operator is ensured through implementation of legal, organisational and technical measures necessary to fully comply with the requirements of current legislation in the field of personal data protection.

8.1. The Operator ensures the safety of personal data and takes all possible measures to prevent access to personal data by unauthorised persons.
8.2. Personal data of the User shall never, under any circumstances, be transferred to third parties, except in cases related to compliance with current legislation or where the subject of personal data has given consent to the Operator to transfer data to a third party for fulfilment of obligations under a civil-law contract.
8.3. If inaccuracies in personal data are identified, the User may update them independently by sending a notification to the Operator at the email address [info@hepa.uz](mailto:info@hepa.uz) marked “Personal data update”.
8.4. The period of processing of personal data is determined by achievement of the purposes for which the personal data were collected, unless another period is provided for by a contract or current legislation.
The User may withdraw their consent to the processing of personal data at any time by sending a notification to the Operator at [info@hepa.uz](mailto:info@hepa.uz) marked “Withdrawal of consent to processing of personal data”.
8.5. All information collected by third-party services, including payment systems, communication tools and other service providers, is stored and processed by such persons in accordance with their User Agreements and Privacy Policies. The Operator is not responsible for the actions of third parties.
8.6. Prohibitions established by the subject of personal data on transfer or processing of personal data authorised for dissemination do not apply in cases of processing in public interests determined by legislation of the Republic of Uzbekistan.
8.7. When processing personal data, the Operator ensures confidentiality of personal data.
8.8. The Operator stores personal data in a form that allows determining the subject of personal data for no longer than the purposes of personal data processing require, unless the period of personal data storage is established by law, an agreement to which the personal data subject is a party, beneficiary or guarantor.
8.9. Grounds for termination of processing of personal data include achievement of processing purposes, expiration or withdrawal of consent, a request to terminate processing, or identification of unlawful processing.

9.1. The Operator carries out collection, recording, systematisation, accumulation, storage, clarification (updating, modification), extraction, use, transfer, depersonalisation, blocking, deletion and destruction of personal data.
9.2. The Operator carries out automated processing of personal data with receipt and/or transfer of information via information and telecommunication networks or without such networks.

10.1. Prior to commencing cross-border transfer of personal data, the Operator shall notify the authorised body for protection of the rights of subjects of personal data.
10.2. Before submitting such notification, the Operator shall obtain relevant information from foreign authorities, individuals or legal entities to whom personal data are to be transferred.

The Operator and other persons who have gained access to personal data are obliged not to disclose or disseminate personal data without consent, unless otherwise provided by law.

12.1. The User may obtain explanations regarding processing of their personal data by contacting the Operator via email at info@hepa.uz.
12.2. Any changes to this Policy shall be reflected in this document. The Policy remains valid indefinitely until replaced by a new version.
12.3. The current version of the Policy is publicly available on the Internet at https://healthyair.uz/en.