Approved
by the Order No. 96/26 dated February 6, 2026
Contents
1. General Provisions
2. Terms and Definitions
3. Personal Data Processing Principles
4. Legal Grounds for Processing Personal Data
5. Terms, Purposes, and Features of Personal Data Processing
6. Rights of Personal Data Subjects
7. Personal Data Protection
8. Personal Data Protection Principle
9. Transfer of Personal Data to Third Parties
10. Cross-Border Data Transfer
11. Storage and Destruction of Personal Data
12. Authorized Division
13. Duties and Responsibilities of the Company's Employees
14. Final Provisions
1. GENERAL PROVISIONS
1.1. This Personal Data Processing and Protection Policy (hereinafter referred to as the 'Policy') defines the procedure for processing and protecting personal data at Unitel LLC (hereinafter referred to as the 'Company').
1.2. The Policy has been drawn up according to the Laws of the Republic of Uzbekistan (hereinafter referred to as the 'RUz') on personal data.
1.3. The Company owns and operates personal data databases and ensures that they are processed according to legal requirements and protected against unauthorized access and other illegal actions with personal data.
2. TERMS AND DEFINITIONS
2.1. Personal data means information recorded on electronic, paper, and (or) other tangible media that relates to a certain individual or makes it possible to identify him/her.
2.2. Personal data processing means one or a set of actions with personal data:
- collection;
- systematization;
- storage;
- change;
- addition;
- use;
- provision;
- distribution;
- transfer;
- depersonalization;
- destruction.
2.3. Personal Data Subject (Subject) means an individual to whom personal data relates.
2.4. Official Website means the Company's Internet resource designed to post official information, interact with Personal Data Subjects, and publish mandatory information according to the Laws and the Company's internal regulations available at https://beeline.uz.
2.5. Services means a set of services and digital solutions provided by the Company and/or Business Partner, including communication services, Digital Services, as well as other forms of interaction with Subscribers, Users of digital services, Business Partners, and other persons within the scope of the Company's core business.
2.6. Digital Service means a set of technological solutions provided by the Company and/or Business Partner using information and communication technologies (including mobile applications, web platforms, and other systems) designed to serve users.
2.7. Subscriber means an individual with whom a contract for the communication services has been concluded, or a person who actually uses the Company's communication services subject to a contract (including when registered in the name of a third party).
2.8. Digital Services User means an individual who uses the Digital Services of the Company and/or Business Partners according to relevant user agreements/offers, regardless of whether there is a contract for communication services.
2.9. Contractor (Individual) means an individual with whom the Company interacts under a civil law contract (including, but not limited to: contracts for work, services, copyright agreements), as well as an individual entrepreneur operating without forming a legal entity.
2.10. Business Partner means a legal entity or individual (including individual entrepreneurs) who participates jointly with the Company in implementing services, products, marketing, and bonus programs, as well as other projects on a contractual basis.
2.11. Authorized Representative means an individual acting for or on behalf of a Business Partner (legal entity or individual entrepreneur), including prospective Business Partners according to the Laws, Articles of Association, power of attorney, or other legal basis, as well as individual whose personal data is processed by the Company due to their status as a member of a legal entity (including founders, managers, signatories), regardless of whether a contract has been concluded.
2.12. Third Party means any person who is not a subject, owner, and/or controller, but who is related to thereto by personal data processing circumstances or relationships.
2.13. Cross-Border Transfer of Personal Data means the transfer of personal data outside the Republic of Uzbekistan.
2.14. Anonymized Personal Data means personal data that has been processed in such a way that it is no longer possible to identify the specific data subject to whom it belongs.
2.15. Aggregated Data means generalized statistical information formed from anonymized personal data that does not provide identification of a specific subject and has aggregate characteristics (e.g., average values, quantity, percentage, distribution).
2.16. Automated Personal Data Processing means processing of personal data using information technology, software, algorithms, and automated systems, when actions with personal data involve no or predominantly no human.
2.17. Authorized Unit means a structural unit of the Company ensuring the processing and protection of personal data according to the Laws of the Republic of Uzbekistan.
2.18. Personal Data Protection means a set of legal, organizational, and technical measures aimed at ensuring the confidentiality, integrity, and availability of personal data, as well as preventing its loss, unauthorized access, alteration, destruction, distribution, and other unlawful actions.
2.19. Confidentiality of Personal Data means the state of personal data, when they are secured from illegal processing.
2.20. Integrity of Personal Data means the state of personal data, when they are preserved in its original and/or established form, protected from unauthorized or accidental alteration, deletion, or distortion, and can be restored in case of failure, loss, or damage.
2.21. Technical Information means a set of data automatically collected and processed when the Subject of Personal Data uses the Company's Services, including, but not limited to: device and module identifiers (IMEI, IMSI, MAC address, serial number, model, equipment type); SIM card and cell tower connection information (CT ID, registration, coverage area); IP address, network parameters, connection type, connection speed, roaming mode; information about the operating system and software (version, identifiers, usage parameters); geodata (country, city, coordinates, entry point); log files and logs (errors, events, API calls, sessions); cookies and similar technologies; information about technical support requests (date, content, result); other automatically generated technical data necessary for the provision, support, operation, analysis, and security of the Services.
2.22. Behavioral Profile means a set of information formed when using the Company's Services by the Subject of Personal Data characterizing their actions, preferences, and level of activity, including actions on websites and in mobile applications (clicks, transitions, session duration, frequency of use); automatically generated behavioral models and specifications ((e.g., interests, preferences, inclinations, level of engagement); consumption, history of Services' use, interaction scenarios; analytical conclusions based on Big Data and machine learning algorithms; other information about individual characteristics of the Subject's behavior when using the Services.
2.23. Financial Information means a set of Personal Data about the financial activity of the Data Subject when using the Company's Services or interacting therewith, including, but not limited to: information about the balance, tariffs, accruals, write-offs, and debts; payment history, including the date, amount, method, and purpose of transactions; information about the payment instruments used by the Subject (including card type, payment system, masked number, tokenized data); information about transactions made in the Company's Digital Services (including purchases, subscriptions, bonuses, and discounts); bank and settlement details provided for payments or refunds; other information directly or indirectly disclosing the Subject's transactions stored or processed in the Company's information systems.
2.24. Artificial Intelligence (AI) means a set of technological solutions allowing to mimic human cognitive functions (including self-learning and problem-solving) and to obtain results comparable to the results of human intellectual activity when performing specific tasks.
3. PERSONAL DATA PROCESSING PRINCIPLES
3.1. The Company processes personal data strictly according to the principles established by the Laws of the Republic of Uzbekistan. These principles are mandatory for all employees and third parties involved in the Personal Data Processing and are the basis for assessing the legality of the processing.
3.2. Breaching of any of the principles of Personal Data Processing shall be considered as breaching of the Laws of the Republic of Uzbekistan and entails liability in a prescribed manner.
3.3. The core principles of Personal Data Processing:
3.3.1 respect for the constitutional rights and freedoms of the individual and citizen;
3.3.2. legal validity of the purposes and methods of Personal Data Processing;
3.3.3. accuracy and reliability of Personal Data;
3.3.4. confidentiality and security of Personal Data;
3.3.5. equality of rights of subjects, owners, and operators of Personal Data;
3.3.6. safety of individuals, society, and the state;
3.3.7. transparency of Personal Data Processing;
3.3.8. minimization of the Personal Data processed;
3.3.9. observance of time for Personal Data storage.
4. LEGAL GROUNDS FOR PROCESSING PERSONAL DATA
4.1. The Company shall process personal data if there is one of the following legal grounds provided for by the Laws of the Republic of Uzbekistan:
4.1.1. explicit and voluntary consent of the subject, which is provided for specific data processing purposes;
4.1.2. processing is necessary to execute a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into such a contract;
4.1.3. if processing is necessary for the Company to fulfill its obligations under the Laws;
4.1.4. if processing is necessary to protect the legitimate interests of the Data Subject or another person;
4.1.5. if there is a need to process to exercise the rights and legitimate interests of the Company or Third Parties, or to achieve socially significant goals, provided that the rights and legitimate interests of Personal Data Subjects are not breached;
4.1.6. for statistical or other research purposes, subject to mandatory Anonymization of Personal Data;
4.1.7. if this data was obtained from public sources and its processing does not breach the rights and freedoms of the Personal Data Subjects.
5. TERMS, PURPOSES, AND FEATURES OF PERSONAL DATA PROCESSING
5.1. In order to comply with the Laws of the Republic of Uzbekistan on Personal Data, the Appendix hereto defines the categories of Personal Data Subjects, the purposes of Personal Data Processing, as well as the list of Personal Data processed for each category.
5.2. The Company carries out both Automated Personal Data Processing and non-automated processing of personal data to the extent necessary to achieve the objectives provided for in this Policy.
5.2.1. For the purposes of concluding and executing a contract (including the provision of Services and the sale of goods), as well as taking measures at the request of the Subject prior to entering into a contract, including for assessing reliability and solvency, preventing fraud, making decisions on the possibility of selling goods (including on installment terms), providing Services with deferred payment, or establishing Credit Limits, the Company is entitled to carry out Automated Personal Data Processing (including Financial Information, Behavioral Profile, and Technical Information) using scoring algorithms. The results of such processing, based on information available to the Company and (or) data obtained from Third Parties (including credit bureaus), shall be recognized by the Parties as a sufficient and exclusive basis for the Company to make relevant decisions (including refusal to conclude a contract or provide Services or goods) without the need for additional manual review or personnel intervention.
5.2.2. In cases where a decision producing legal consequences for the Subject or otherwise significantly affecting their rights and legitimate interests is made exclusively by Automated Personal Data Processing, the Company, upon receipt of a corresponding written request from the Subject (submitted in a manner allowing for reliable identification of the applicant), is obliged to:
- explain the procedure for making such a decision;
- provide an opportunity to file a reasoned objection against such a decision;
- explain the procedure for the Subject to protect their rights;
- consider the objection and notify the Subject of the results in writing within the time limit established by the Laws.
5.3. The Company shall be entitled to process data about the actions, preferences, and interactions of Personal Data Subjects with the Services (including Behavioral Profile, Technical, and Financial Data) for the purposes of providing, optimizing, and developing the Services, while complying with the principles of minimization and non-breach of the rights of subjects.
Processing involves automated means and does not involve individualized Processing of Personal Data by Company employees.
The results of such processing are aggregated or anonymized with no possibility to identify specific subjects.
Such data may be transferred to Partners only aggregated and/or anonymized.
5.4. The consent of the Subject of Personal Data to the Processing of Personal Data may be provided in the following forms:
5.4.1. by accepting an offer (public agreement) that explicitly specifies the purposes of personal data processing; in this case, consent is deemed to have been given after the offer is accepted;
5.4.2. by confirming your consent with the terms and conditions of service provision in the Company's Digital Services;
5.4.3. by entering into agreement;
5.4.4. in the form of a separate document drawn up in written or electronic form;
5.4.5. through conclusive actions including the actual use of the Company's services;
5.4.6. by other means not contrary to the Laws of the Republic of Uzbekistan.
5.5. In cases where Personal Data is processed without the consent of the Data Subject (for example, to perform a contract, based on legal requirements, or to protect the rights and legitimate interests of the Company), the Company shall strictly comply with the Laws of the Republic of Uzbekistan.
5.6. The Company shall provide video surveillance within its areas and facilities to ensure security, protect property, and prevent incidents.
The Company shall not process data obtained through video surveillance to identify specific Subjects of Personal Data.
Herewith, video surveillance recordings may be transferred in cases provided for by the Laws of the Republic of Uzbekistan, including upon request of law enforcement agencies, courts, or other authorized state bodies.
5.7. To ensure access control and monitoring of access to the Company's area and facilities, it is permitted to process biometric personal data of employees, interns, trainees, Contractors (individuals), and Authorized Representatives. Such processing is subject to consent of the Subject for purposes specified herein in compliance with the Laws of the Republic of Uzbekistan on Personal Data.
5.8. The Company is entitled to use artificial intelligence, machine learning, and algorithmic analysis technologies as a tool for Automated Personal Data Processing to the extent necessary to achieve the objectives provided for in this Policy.
5.8.1. When using artificial intelligence technologies, the Company takes necessary measures aimed at ensuring compliance with human and civil rights and freedoms. The application of these technologies is carried out taking into account the minimization of risks of harm; however, the Company shall not be held liable for subjective assessments of the ethicality of the algorithms' operation, provided they function within the framework of the Laws.
6. RIGHTS OF PERSONAL DATA SUBJECTS
6.1. Data Subjects have the rights provided for by the Laws of the Republic of Uzbekistan, including the right to access, correct, restrict, and destroy Personal Data, as well as other rights aimed at protecting their legitimate interests.
6.2. Requests providing execution of the Personal Data Subjects' rights may be submitted as follows:
- by email to the addresses specified on the official resources of the Company;
- by mail to the legal address of the Company;
- personally, when visiting the Company's office.
6.3. Withdrawal of consent to the processing of personal data, a request for the destruction or suspension of the processing of personal data necessary for the Company's Services, entails further failure to provide such Services by the Company.
7. PERSONAL DATA PROTECTION
7.1. The Company shall protect Personal Data when they are processed according to the Laws of the Republic of Uzbekistan.
7.2. Personal Data protection involves the legal, organizational, technical, and other means aimed at preventing their unauthorized access, loss, alteration, disclosure, or destruction.
8. PERSONAL DATA PROTECTION PRINCIPLE
8.1. The Company shall protect Personal Data strictly according to principles hereof. These principles are mandatory for all employees involved in the Personal Data Processing and are the basis for assessing the security.
8.2. Breaching of any of the principles of Personal Data Processing shall be considered as breaching of this Policy and entails liability in a prescribed manner.
8.3. The Company shall protect Personal Data according to the following principles arising from the Laws of the Republic of Uzbekistan and international information security practices:
8.3.1. compliance with the law-based regime that excludes unauthorized disclosure or distribution of Personal Data without the consent of the subject or with no other legal basis;
8.3.2. integrity and security - compliance with requirements and measures to prevent loss, distortion, or unauthorized alteration of Personal Data; Personal Data shall be kept up to date, consistent, and secure;
8.3.3. access restriction - Personal Data can be accessed by a strictly limited group of persons within the scope of their official role-based duties and the minimum necessary amount;
8.3.4. transparency and accountability - Personal Data Protection mechanisms shall be documented, and data processing and protection shall be subject to verification and audit;
8.3.5. assignment of responsibilities - ensuring that duties and responsibilities for Personal Data Protection are established in job descriptions, confidentiality agreements, and other internal regulations governing the activities of employees and other persons authorized to Process Personal Data.
9. TRANSFER OF PERSONAL DATA TO THIRD PARTIES
9.1. It is permitted to transfer Personal Data to Business Partners or Third Parties, including cross-borderly, only for their processing and if there are legal grounds provided for in clauses 4.1. and 10.2 hereof.
9.2. The following safety measures shall be observed:
- entering into agreement with a Business Partner or Third Party providing obligations regarding the Protection of Personal Data;
- assessing the legality of transfers and maintaining a register of such transactions.
9.3. If the relationship with a Business Partner or Third Party involves access to, processing, or transfer of Personal Data, provisions on the protection of Personal Data shall be recorded. These provisions may be included directly in the contract or executed as separate non-disclosure agreement (NDA) or other supplementary agreement to the contract.
10. CROSS-BORDER DATA TRANSFER
10.1. Personal Data can be transferred cross-borderly only if the recipient country adequately protects the rights of Personal Data Subjects.
10.2 Personal Data can be transferred cross-borderly to a country that does not provide adequate protection of the rights of Personal Data Subjects in the following cases:
- the consent of the Data Subject to the Cross-Border Transfer of Personal Data;
- the need to protect the constitutional order of the Republic of Uzbekistan, public order, the rights and freedoms of citizens, and the health and morality of the population;
- as provided for by international treaties of the Republic of Uzbekistan.
11. STORAGE AND DESTRUCTION OF PERSONAL DATA
11.1. Personal Data is stored in a form that provides identification of the Data Subject for no longer than is necessary for the processing and the established storage periods.
11.2. Unless otherwise provided by the Laws of the Republic of Uzbekistan, Personal Data shall be stored for the period necessary to achieve the purposes of processing, but not longer than the general limitation period established by the Laws of the Republic of Uzbekistan after termination of contractual or other legal relations with the Subject of Personal Data.
11.3. Upon expiration of the storage period, Personal Data shall be destroyed or anonymized, unless otherwise provided by Laws.
12. AUTHORIZED DIVISION
12.1. The Company establishes an Authorized Division whose tasks include organizing the Processing and Protection of Personal Data.
12.2. The activities, tasks, rights, and obligations of the Authorized Division shall be provided by the Laws of the Republic of Uzbekistan, the regulations on the Authorized Division, and other internal regulations of the Company.
13. DUTIES AND RESPONSIBILITIES OF THE COMPANY'S EMPLOYEES
13.1. Employees shall comply with the Laws of the Republic of Uzbekistan and the internal regulations of the Company on Personal Data.
13.2. Employees shall assist the Authorized Division in monitoring compliance with Laws of the Republic of Uzbekistan and the internal regulations of the Company on Personal Data.
13.3. Upon employment, the employee shall sign an agreement for non-disclosure of confidential information and personal data and read this Policy.
13.4. Company employees shall be personally liable for breaching the Laws of the Republic of Uzbekistan, this Policy, and other internal regulations of the Company for Personal Data.
13.5. Company employees who directly handled Personal Data shall, if transferred to another position, change position within the Company, or dismissed, transfer all physical media with information (including paper documents and other media with Personal Data) in a prescribed manner. Technical equipment provided by the Company (including laptops, desktop computers, and other devices) shall be returned and, if necessary, for business purposes, may be checked for unlawful actions.
14. FINAL PROVISIONS
14.1. This Policy is an internal regulation of the Company and is binding on all employees and other persons involved in the Processing of Personal Data.
14.2. This Policy is publicly available on the Company's Official Website and Digital Services in a section accessible to all users.
14.3. This Policy comes into force upon its publication in the specified sources, unless otherwise provided by the Policy or as decided by the Company.
14.4. The Company reserves the right to amend the Policy without specific notification to the Subjects of Personal Data. The new edition shall be deemed effective after it is posted on the Company's Official Website and Digital Services, unless otherwise specified in the new edition.
Appendix
CATEGORIES
OF PERSONAL DATA SUBJECTS,
PURPOSES OF PROCESSING, AND LIST OF PERSONAL DATA PROCESSED
This Appendix establishes the categories of Personal Data Subjects, the purposes of processing, and the list of personal data processed by the Company. It applies to all Personal Data processing activities by the Company, including automated and non-automated processing.