PRIVACY POLICY NEXAXT WECO
Version: 1.0 Effective date: 11 May 2026 Canonical URL: https://weco.nexaxt.com/pages/privacy-policy-en.html
1. GENERAL
1.1. This Privacy Policy (the "Policy") sets out how NEXA IKS TI LLP (BIN 230940021527), 050013, Republic of Kazakhstan, Almaty, Bostandyk district, Seifullin Avenue, building 617 (the "Operator", "Company", "We") processes personal data in connection with use of https://weco.nexaxt.com and the WECO service.
1.2. The Policy is grounded in: (a) RK Law No. 94-V of 21 May 2013 "On Personal Data and Their Protection" ("94-V"); (b) MCRIAP Order No. 395/НҚ of 21 October 2020 approving the Rules on Collection and Processing of Personal Data ("Rules 395"); (c) RK Law No. 418-V of 24 November 2015 "On Informatization"; (d) RK Law No. 567-II of 5 July 2004 "On Communications"; (e) GDPR (for EU/EEA data subjects) and UK GDPR (for UK data subjects), to the extent applicable.
1.3. Important role split. When the Client uses the WECO software to publish SPV sites on its own infrastructure, the Client is the sole controller of personal data of End Users of those sites. The Company does not access that data and is neither controller nor processor of it. This Policy covers only data the Client transmits directly to the Company (Section 4).
1.4. Data Protection Officer (DPO): Email: anton.orlov@nexaxt.com Address: 050013, Almaty, Bostandyk district, Seifullin Avenue 617 Subject line: "Data subject request" / "DPO request"
2. DEFINITIONS
2.1. Personal data — information relating to an identified or identifiable natural person, recorded on electronic, paper or other media.
2.2. Subject — natural person whose personal data is processed.
2.3. Processing — any operation: collection, recording, storage, alteration, use, transfer, anonymization, blocking, erasure, destruction.
2.4. Pseudonymisation — storage of personal data in a form that no longer attributes it to a subject without separate keying information.
2.5. Consent — freely given, informed, specific and unambiguous indication of the subject's wishes.
2.6. Cookie — small file stored by the visitor's browser. See the Cookie Policy.
3. PRINCIPLES
3.1. The Company processes personal data: (a) lawfully and fairly; (b) for specific, declared and legitimate purposes; (c) in the minimum amount necessary; (d) accurately and kept up to date; (e) for no longer than necessary; (f) with appropriate organizational and technical security measures.
4. WHAT WE COLLECT
4.1. Registration / billing (on license purchase): (a) name / organization; (b) email; (c) phone (optional); (d) legal entity name, BIN/TIN/VAT; (e) payment data (the payment provider handles full card data; we receive only limited transaction metadata).
4.2. Support / communications: (a) ticket content, including any personal data the subject voluntarily provides; (b) email correspondence.
4.3. Site visitor technical data (web logs): (a) IP address; (b) User-Agent; (c) Referer; (d) requested URL; (e) UTC timestamp; (f) HTTP status code.
4.4. Click-wrap acceptance log (on accepting the Offer):
(a) email;
(b) license_id;
(c) SHA-256 hash of accepted documents' canonical text;
(d) UTC acceptance timestamp;
(e) IP address;
(f) User-Agent.
4.5. Marketing data (on email-list opt-in): (a) email; (b) name (optional); (c) marketing consent record.
4.6. Cookies — see Cookie Policy.
4.7. Heartbeat data (admin VM telemetry)
4.7.1. The Client's installed admin VM makes one outbound HTTPS request per hour to https://nexaxt.com/api/weco/host-heartbeat. Purposes — (a) license-active confirmation, (b) detection of "parallel" use of a single license across multiple VMs (a clear indicator of resale or leakage), (c) tracking adoption of release versions.
4.7.2. Each heartbeat carries:
(a) license_id and customer_id — identifiers issued to the Client at purchase;
(b) SHA-256 hash of the admin VM's /etc/machine-id (the "host fingerprint") — a stable but irreversible identifier of the Linux installation; not an IP, not a hostname, not a serial number, the original value cannot be recovered;
(c) the count of hosts registered in the admin (number, no IPs/details);
(d) the release tag (e.g. v0.0.X);
(e) the source IP of the request (the same IP is already visible to us via the DNS A-record of the Client's admin domain — no new data source).
4.7.3. The heartbeat does NOT carry: (a) Client SPV-site content or any End-User data; (b) PDF files, images, or other uploaded documents; (c) admin audit log, names or emails of admin users; (d) host configurations, SSH keys, bearer tokens, or MASTER_SECRET; (e) End-User requests to Client sites.
4.7.4. Retention of heartbeat records: 24 months from receipt (for parallel-use detection and the legal evidence basis of §3(e) of the Master Services Agreement). After expiry — automatic deletion; see also §7.
4.7.5. Opt-out: the Client can fully disable the heartbeat by setting environment variable FF_HEARTBEAT_DISABLE=1 in /etc/ff-admin/.env and restarting the ff-admin service. The heartbeat opens no inbound ports and is always initiated from the Client's admin VM.
4.7.6. Leak detection. If detection rules fire (a single license used on multiple host fingerprints, use of a revoked license, forged heartbeat signature) NexaXT generates an evidence bundle — a JSON manifest with an Ed25519 signature — and retains it for 24 months. The manifest's contents are limited to the fields listed in §4.7.2; Client site content never appears in the manifest.
4.8. What we do NOT collect: (a) Client SPV-site content and related End-User data (live exclusively on the Client's infrastructure); (b) full payment-card data (PCI-DSS scope is at the payment provider); (c) special categories (race, political views, religion, health, biometrics) — not requested, not processed.
5. PURPOSES AND LEGAL BASES
5.1. Each processing operation has a legal basis in 94-V:
| Purpose | Data categories | Legal basis (94-V) |
|---|---|---|
| Conclude and perform the Agreement with the Client | Registration, billing | Art. 9(1)(2): perform a contract |
| Tax / accounting compliance | Billing | Art. 9(1)(1): legal obligation |
| Technical support | Support, billing, technical | Art. 9(1)(2): perform a contract |
| Site security (anti-fraud, anti-abuse) | Web logs, IP, User-Agent | Art. 9(1)(6): legitimate interests |
| Click-wrap log (proof of acceptance) | Click-wrap data | Art. 9(1)(2) + 9(1)(6) |
| Marketing email | Email, name | Art. 7(1): consent (revocable) |
| Cookies (preferences, analytics, marketing) | Cookie ID | Art. 7(1): consent via banner |
| AML/CFT, sanctions checks | KYC | Art. 9(1)(1): RK Law 191-IV |
5.2. Consent. Where consent is the basis, it may be withdrawn at any time via anton.orlov@nexaxt.com or account settings. Withdrawal is not retroactive. The consequence for billing-data withdrawal in an active account is suspension / closure.
6. RECIPIENTS. SUB-PROCESSORS. CROSS-BORDER TRANSFERS
6.1. The full live list of sub-processors is at https://weco.nexaxt.com/pages/subprocessors-en.html.
6.2. Snapshot:
| Sub-processor | Purpose | Jurisdiction | Categories |
|---|---|---|---|
| FirstVDS | Public website hosting | Russian Federation | Web logs, IP, contact-form |
| Open-Xchange / NetSol Hosting | Corporate email | US / EU | Email, billing notices |
| FreedomPay | Payment gateway | Republic of Kazakhstan | Payment metadata, billing |
| GitHub (Microsoft) | Repo, releases, security advisories | US | Public commit data, GitHub username |
| Cloudflare (if used) | CDN / DNS | US | IP, User-Agent on passthrough |
6.3. Cross-border transfer. Transfers to foreign states are permitted: (a) where the foreign state ensures adequate protection of subject rights (94-V Art. 16(2)(1)); (b) on written subject consent (94-V Art. 16(2)(2)); (c) for performance of a contract to which the subject is a party (94-V Art. 16(2)(4)).
6.4. Adequacy assessment. The Company has assessed: (a) United States — no general adequacy; transfer only with Standard Contractual Clauses (Module 2 — controller-to-processor) with the provider, OR subject consent, OR contractual necessity; (b) Russian Federation — SCCs or subject consent; (c) Republic of Kazakhstan — domestic processing; (d) EU / UK — mutual adequacy is recognized.
6.5. SCCs. The Company concludes SCC (or equivalent) with each non-RK sub-processor, providing protection comparable to 94-V.
6.6. Disclosures to RK state authorities. The Company is obliged to provide data on lawful demand of authorized state bodies.
7. RETENTION
7.1.
| Category | Retention | Basis |
|---|---|---|
| Registration / billing (active account) | Active term + 1 year after closure | Contract + statute of limitations |
| Financial / tax documents | 5 years from transaction | RK Tax Code Art. 48(6) |
| Click-wrap acceptance log | 7 years | Contract proof + long limitation |
| SMTP logs (email metadata) | 90 days | Technical minimum |
| Site audit logs | 90 days | Incident investigation minimum |
| Web logs (general visits) | 90 days | Technical minimum |
| Marketing | Until consent withdrawal or 3 years inactive | Consent + LIA |
| Cookies | Up to 12 months (per Cookie Policy) | ePrivacy / 94-V |
| KYC (AML) | 5 years post-relationship | Law 191-IV Art. 5(4) |
| Support tickets | 3 years post-closure | Legitimate interests |
| Admin VM heartbeat records (see §4.7) | 24 months from receipt | License-leak detection + evidence basis under §3(e) MSA |
| Evidence bundle (detection-rule fire) | 24 months from creation | Legal record of incident + Ed25519 signature |
7.2. After expiry, data is deleted or anonymized securely.
7.3. Data may be retained longer under a legal hold (live dispute, regulator investigation, legal requirement).
8. SUBJECT RIGHTS
8.1. Each subject has the rights (94-V Art. 24 etc.; GDPR Art. 15-22 if applicable):
(a) access — what data we process about them; (b) rectification — inaccurate or incomplete; (c) erasure ("right to be forgotten"), subject to retention exceptions; (d) restriction; (e) objection to legitimate-interests processing or to direct marketing; (f) data portability in a structured machine-readable format; (g) withdraw consent at any time (no retroactive effect); (h) lodge a complaint with the supervisory authority.
8.2. Procedure:
(a) Send the request to anton.orlov@nexaxt.com with subject "Data subject request"; (b) The Company must verify identity to prevent fraudulent disclosure. Methods: reply from the email on file; identity-confirming information; (c) Reply within 30 calendar days of receipt and verification. In complex cases — extension by another 30 days with notice; (d) Free of charge. Repetitive or manifestly unfounded requests may be charged or refused.
8.3. Refusal grounds: (a) manifestly unfounded; (b) repetitive or excessive; (c) granting it would breach third-party rights; (d) legal hold; (e) data necessary for the Company's defence in a dispute; (f) other statutory grounds.
Refusal includes a stated reason.
8.4. Right to complain. The supervisory authority is the Information Security Committee of MCRIAP RK: (a) Web: https://www.gov.kz/memleket/entities/ckis; (b) Address: 010000, Astana, Mangilik El Avenue 8, House of Ministries.
EU/UK subjects may complain to their national authority (CNIL, BfDI, ICO etc.).
9. SECURITY
9.1. Technical and organizational measures:
(a) Encryption at rest — passwords / secrets via bcrypt; other secrets AES-256-GCM with MASTER_KEY_VERSION rotation;
(b) Encryption in transit — TLS 1.2+;
(c) RBAC — least privilege;
(d) MFA for admin access;
(e) Append-only audit log;
(f) Encrypted backups;
(g) Network segmentation between admin VM, host VMs, DB;
(h) Data minimization;
(i) Staff training;
(j) NDAs with all employees and contractors with data access.
9.2. Breach notification. On a personal-data breach the Company shall notify: (a) the RK supervisory authority (MCRIAP) within 24 hours of detection, per 94-V Art. 25-1; (b) affected subjects within 72 hours if the breach poses risk to their rights and freedoms.
The notification includes the nature, categories and approximate number of subjects/records, contact, consequences, mitigation.
10. AUTOMATED DECISION-MAKING. PROFILING
10.1. The Company does not make decisions about subjects based solely on automated processing (including profiling) producing legal effects on them or similarly significantly affecting them.
10.2. Should such mechanisms be introduced, subjects will be notified and given the right to object and to human intervention.
11. CHILDREN
11.1. The WECO Service is not offered to persons under 18.
11.2. On detection of a minor account, it is blocked immediately and associated data deleted (except financial / tax data subject to mandatory retention).
11.3. Parents / guardians may contact anton.orlov@nexaxt.com.
12. CONSENT WITHDRAWAL. CONSEQUENCES
12.1. Consent may be withdrawn at any time.
12.2. Consequences: (a) where consent is the only basis → processing stops; (b) where another basis exists → processing may continue under that basis; (c) for an active Client account, withdrawing consent for billing-data processing makes the Service un-operable → suspension.
13. CONTACTS
Operator: NEXA IKS TI LLP / ТОО «НЕКСА ИКС ТИ» BIN: 230940021527 Address: 050013, Almaty, Bostandyk district, Seifullin Avenue 617 DPO email: anton.orlov@nexaxt.com General email: info@nexaxt.com
RK Supervisory Authority: Information Security Committee, MCRIAP RK Address: 010000, Astana, Mangilik El Ave. 8 Web: https://www.gov.kz/memleket/entities/ckis
14. CHANGES
14.1. The Company may update the Policy. The new version is published on this page with effective date.
14.2. Material changes adverse to subjects are notified at least 30 days in advance (email and/or Site banner).
14.3. Version history is archived (request via anton.orlov@nexaxt.com).
End of Privacy Policy v1.0 of 11 May 2026.