Privacy Policy

PRIVACY POLICY - NADI AI INTERVIEWER

Version: 1.0

We process personal data to provide Nadi AI Interviewer functions, ensure security, support
users, and comply with legal requirements.

1. Operator and contacts
   1.1. Personal data operator: IP LLC Nadi (Republic of Uzbekistan), reg. No. 312613718.
   1.2. Address: Paxlavon Maxmud kochasi, 2 muyulish kochasi, 1 berk ko`chasi, 1-xonadon
   1.3. E-mail: support@nadi.ink
   
   

2. What data we process
   2.1. Account and authorization data: e-mail/identifier, profile attributes (if provided via
   Google/Yandex), login logs, session tokens.
   2.2. OTP login data: address/delivery channel of the code (depending on implementation),
   sending/verification fact, technical metadata.
   2.3. User Content: answers, notes, files, images/photos and metadata (if uploaded), settings
   and tags.
   2.4. AI interaction history: prompts/input data and responses/summaries/conclusions
   generated by the Service (within the functionality).
   2.5. AI session metadata: technical session parameters (e.g., time, model/component
   version, performance metrics).
   2.6. Technical and diagnostic data: IP address, device/browser/app identifiers, OS version,
   language; event and error logs.
   2.7. Sensitive (special) categories: the User may voluntarily enter information about
   health/well-being/psychological state. We treat such information as sensitive and apply
   enhanced protection measures. Cross-border transfer of such data is carried out only with
   valid consent where required.
   2.8. PINFL (personal identification number): the Company does not request or require PINFL
   for registration or use of the Service. If functionality requiring PINFL processing appears in
   the future, the Company will update this Policy in advance and ensure collection of the
   necessary consents/grounds.
   
   

3. Data sources
   3.1. Data is received from the User, from authorization providers (Google/Yandex), and
   automatically when using the Service (logs, technical data).
   
   

4. Processing purposes
   4.1. Creating and managing the Account; providing Service functions.
   4.2. Ensuring security, preventing abuse, investigating incidents.
   4.3. User support and handling requests.

   4.4. Improving Service quality (where possible - on anonymized/aggregated data).
   4.5. Compliance with the law and lawful requests of authorized bodies.
   4A. Data processing using artificial intelligence
   4A.1. To provide Service functions (AI interviewer, analysis, summaries, visualizations), the
   Company uses machine learning/artificial intelligence algorithms and models.
   4A.2. User Content may be processed by AI components to:
   ● generate personalized questions;
   ● analyze answers and identify patterns;
   ● create summaries and structured reports;
   ● generate insights and visualizations.
   4A.3. AI processing is carried out using the Company’s proprietary developments and
   GCP/Neo4j infrastructure (as part of the architecture). User Content is not transferred to
   third-party AI providers to train their models without the User’s separate explicit consent (if
   such an option is offered).
   
   

5. Uzbekistan: localization, primary storage, and State Register
   5.1. The Company complies with the legislation of the Republic of Uzbekistan on personal
   data, including requirements for lawful processing, confidentiality, and protection measures.
   5.2. Article 271 (special conditions for citizens of the Republic of Uzbekistan). The Company
   ensures primary collection, systematization, and storage of personal data of citizens of the
   Republic of Uzbekistan in personal data databases on technical means physically located in
   the Republic of Uzbekistan, as provided by Article 271 of the Law of the Republic of
   Uzbekistan “On Personal Data”.
   5.3. To ensure Service functionality and operation of cloud infrastructure, further processing
   and/or cross-border data transfer may be carried out in accordance with Section 7 of this
   Policy.
   5.4. State Register of personal data databases. The personal data database of citizens of
   the Republic of Uzbekistan is subject to registration in the State Register of personal data
   databases. As of the effective date of this Policy: registration is in progress (or registered - if
   a certificate is available; current status can be provided upon request to support@nadi.ink).
   
   

6. Categories of recipients (to whom we may disclose data)
   We disclose personal data only to the minimum extent necessary to the following categories
   of recipients:
   6.1. Authorization (SSO) providers: Google and Yandex - for login, session management,
   and security.
   6.2. Cloud infrastructure and hosting: Google Cloud Platform (GCP) - for storage,
   processing, backup, and operation.
   6.3. Monitoring, logging, and security: providers of monitoring/observability/logging and

   incident response tools - for diagnostics, stability, and abuse prevention.
   6.4. Visualization and reporting: providers of visualization libraries/tools (charts, diagrams,
   dashboards) - when using relevant functions.
   6.5. Disclosure as required by law: government authorities/courts - upon lawful request or to
   protect the rights and legitimate interests of the Company and users.
   
   

7. Citizens of the Republic of Uzbekistan: cross-border transfer and consent as a
   condition of use
   7.1. Due to the Service architecture and use of cloud infrastructure/integrations, processing
   may include cross-border transfer of personal data (transfer outside the Republic of
   Uzbekistan).
   7.2. Mandatory condition of use for citizens of the Republic of Uzbekistan. If the User is a
   citizen of the Republic of Uzbekistan, by starting and/or continuing to use the Service, the
   User thereby consents to cross-border transfer of their personal data for the purposes
   specified in this Policy (service provision, security, backup, technical support, operation of
   cloud infrastructure).
   7.3. If a citizen of the Republic of Uzbekistan does not consent to cross-border transfer, they
   must:
   ● immediately stop using the Nadi Service; and
   ● send a request to support@nadi.ink to delete all their personal data.
   7.4. Upon receiving the request, the Company deletes/anonymizes personal data within a
   reasonable period to the extent permitted and required by law, except for data that the
   Company must retain due to mandatory legal requirements and/or the minimum necessary
   technical logs for security and preventing repeated abuse.
   8. Cookies and similar technologies
   8.1. The web version of the Service may use cookies/local storage and similar technologies
   to maintain sessions, security, save settings, and operate the interface.
   8.2. Disabling cookies may cause incorrect operation of certain functions (e.g.,
   authorization).
   9. Retention periods and deletion, including AI processing
   9.1. We retain personal data no longer than necessary for processing purposes, unless a
   longer period is required by law or justified by the protection of legitimate interests (e.g.,
   abuse investigations).
   9.2. Typical periods (unless otherwise required by law):
   ● Account data and User Content - while the Account is active + up to 30 days after
   deletion (technical cycle);

● AI interaction history - while the Account is active + up to 90 days (for personalization
and quality control), unless the User requests otherwise, and unless retention is
required for security/law;
● technical logs - up to 180 days;
● security logs - up to 12 months;
● support correspondence - up to 24 months after closing the request.
9.3. Upon a deletion request, we delete/anonymize personal data to the extent permitted by
law, taking into account the exceptions in Section 7.4.
9.4. Data deletion and AI components:
● after deletion/anonymization of the User’s data, the Service stops using such data for
personalization;
● data used to improve internal algorithms is processed predominantly in
anonymized/aggregated form;
● technical caches and backups are deleted/overwritten as part of the standard backup
and recovery cycle (typically within 30 days), unless otherwise required by law.
10. Users’ rights and data export
10.1. The User may send a request to support@nadi.ink:
● about the data being processed;
● to correct/clarify;
● to delete/stop processing (where grounds exist);
● to provide a copy/export of data.
10.2. The Company may request identity verification (usually via the authorization method
used to create the Account) to prevent disclosure of data to third parties.
11. Authorized personal data protection authority (Uzbekistan)
11.1. The authorized body for personal data protection and maintenance of the State
Register of personal data databases is the State Center for Personalization under the
Cabinet of Ministers of the Republic of Uzbekistan (within its established competence and
organizational structure).
11.2. Information about the service for entering personal data databases into the State
Register and contact details of the authorized body are published on government resources,
including the public services portal; an example contact phone number published in the
service card: +998 71 207 70 92.
12. Children and minors; images of minors
12.1. The Service is intended only for persons 18+. We do not intentionally collect children’s
data.
12.2. If the Service is found to be used by a minor, the Company restricts access and takes
measures to delete data in accordance with this Policy and the law.

12.3. Images of minors: when uploading images of minors, the User confirms lawful grounds
and necessary consents of legal representatives; the User assumes all risks and liability in
the absence of such grounds.
13. Users in the USA, EEA, and the UK (additional provisions)
13.1. Users in the USA/EEA/UK may submit requests to exercise rights (access, correction,
deletion, export/portability - where applicable) to support@nadi.ink; the Company may verify
identity.
13.2. Enhanced protection applies to sensitive data and, where necessary, separate consent
mechanisms.
14. Transparency reports
14.1. The Company strives for transparency in data processing and, at the User’s request,
may provide information about:
● the number of AI sessions and technical parameters (to the extent available);
● categories of processed data;
● the fact of cross-border transfer (categorically, without disclosure of commercially
sensitive information);
● applied verification and protection measures (at a high level).
14.2. Requests should be sent to support@nadi.ink with identity confirmation.

16. Russian Federation: refusal to process personal data of RF citizens and
availability in RF for non-residents by citizenship
16.1. The Company stores and processes data on GCP capacities, using Neo4j and
proprietary developments.
16.2. Guided by Russian Federation legal requirements applicable to personal data
processing of RF citizens, the Company does not process personal data of RF citizens
(including RF citizens abroad) and does not provide the Service to RF citizens.

16.3. By using the Service, the User confirms and warrants that the User is not an RF
citizen. A person holding RF citizenship in addition to another citizenship is considered an
RF citizen for the purposes of this section.
16.4. The Company recognizes that many citizens of Kazakhstan and Uzbekistan live or
temporarily stay in the Russian Federation and may use the Service as a digital archive,
including for preserving and transferring family and national heritage. Therefore, the
Company does not impose geographic restrictions on using the Service in the Russian
Federation for persons who are not RF citizens but are located in the Russian Federation.
16.5. If the Company has reasonable grounds to believe that the User is an RF citizen, the
Company may restrict access/block the Account and initiate data deletion to the extent
permitted by law, while retaining the minimum necessary technical logs for security and
abuse prevention.
17. Policy updates
17.1. We may update the Policy. The current version is published in the Service and takes
effect as of the date specified in the document.