Privacy Policy
1. General Provisions
1.1. This Privacy Policy of SOFTDEV Limited Liability Company (hereinafter referred to as the “Company”) establishes the procedure for processing information relating to an identified or identifiable natural person (hereinafter referred to as “personal data”), as well as the measures taken by the Company to ensure the security of such personal data.1.2. This Policy has been developed in accordance with the Law of the Republic of Belarus dated May 7, 2021 No. 99-З “On Personal Data Protection” (hereinafter – the Personal Data Law), and other legislative acts of the Republic of Belarus.
1.2.1. This Policy also takes into account the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR), insofar as applicable to users located within the European Union.
1.3. The Company implements technical, organizational, and legal measures to protect personal data, as well as the rights and freedoms of individuals when processing their personal data.
1.4. This Policy applies to all personal data processed by the Company, except for data processed in the context of employment or administrative procedures (concerning employees or former employees), as well as cookie data.
This Policy also applies to the processing of data of users of the website https://vai-chat.by (hereinafter – the “Website”), clients, individual contractors, job applicants, representatives of legal entities, and other individuals interacting with the Company.
1.5. Terms used in this Policy shall have the meanings ascribed to them under the applicable laws of the Republic of Belarus.
2. Principles, Purposes, and Rules of Personal Data Processing; Categories of Data Processed; Retention Periods
2.1. The purposes of processing personal data include:
2.1.1. Ensuring compliance with the Constitution of the Republic of Belarus, laws and other regulatory legal acts of the Republic of Belarus, and the internal policies of the Company;
2.1.2. Fulfilling functions, powers, and obligations imposed on the Company by the laws of the Republic of Belarus, including the provision of personal data to state authorities, the Social Protection Fund under the Ministry of Labour and Social Protection of the Republic of Belarus, and other government bodies;
2.1.3. Processing of citizen appeals submitted to the Company pursuant to the Law of the Republic of Belarus dated July 18, 2011 No. 300-З “On Appeals of Citizens and Legal Entities”;
2.1.4. Identifying individuals with whom the Company enters into contractual relationships;
2.1.5. Preparation, execution, fulfillment, and termination of agreements with counterparties;
2.1.6. Formation of reference materials for internal informational support of the Company’s activities;
2.1.7. Execution of judicial decisions or orders of other authorities or officials subject to enforcement under the laws of the Republic of Belarus on enforcement proceedings;
2.1.8. Exercise of the Company’s rights and legitimate interests in the context of its financial and business activities or in the pursuit of public interest objectives;
2.1.9. Other lawful purposes;
2.1.10. Ensuring the operation of software services, AI services, and digital platforms used by users, including via integration with third-party APIs (e.g., Instagram, Meta, Telegram, etc.).
2.2. The Company processes personal data based on the principles of legality, respect for the rights and interests of individuals, and protection of their privacy.
2.3. The Company may process the following categories of personal data: full name; contact information (phone number, fax, email address); photographs; date of birth; place of residence or mailing address; identity document details (series, number, date of issue); social security number; residential or business address.
The official Website collects and processes anonymized data about visitors (including cookies).
2.3.1. Special categories of personal data, including biometric data, may be processed if there is a lawful basis for such processing.
2.3.2. User-generated content: When using the platform, users may submit textual inputs (prompts) and other data to configure the functionality of the virtual assistant. This data is processed by the Company solely for service provision, technical support, and to monitor compliance with the terms of use. In the event of detected violations, the service administration reserves the right to suspend user account access.
2.3.3. Personal data collected via integration with Meta platforms (e.g., Instagram messages, profile data) is processed solely to provide the functionality of the AI assistant, including response generation and personalization, in accordance with GDPR requirements and Meta’s policies.
2.4. The Company stores personal data in a form that allows identification of the data subject no longer than necessary to achieve the purposes declared and in compliance with applicable laws.
2.5. The Company ensures the security of personal data by implementing encryption (e.g., AES-256 for storage, HTTPS for transmission), access restrictions, regular security audits, and other technical and organizational measures in accordance with Article 32 of the GDPR to prevent unauthorized access.
2.6. The retention periods for personal data are determined in accordance with the laws on archiving and recordkeeping.
2.7. The Company stores personal data in a confidential manner, ensuring it cannot be lost or misused.
2.8. All personal data is kept in secure locations inaccessible to unauthorized persons — such as safes or other locked cabinets and restricted-access rooms.
2.9. Upon fulfillment of the processing purposes, the Company deletes personal data unless its longer retention is required by regulatory legal acts.
3. Procedure and Conditions for Personal Data Processing
3.1. The collection of personal data is carried out with the consent of the individual whose personal data is processed by the Company (hereinafter – the “data subject”), unless otherwise provided by the Personal Data Law.
3.2. The consent of the data subject constitutes a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of their personal data.
3.3. Consent may be obtained in written form, as an electronic document, or in another electronic format.
3.3.1. Consent may be provided electronically, including by ticking a checkbox on the website interface, provided that the expression of will is informed and deliberate.
3.4. Data subjects have the following rights, as granted by applicable legislation and Articles 12–23 of the GDPR (where applicable):
3.4.1. To withdraw consent for the processing of personal data;
3.4.2. To obtain information about the processing of their personal data and request rectification of such data;
3.4.3. To request the cessation of processing and/or deletion of personal data;
3.4.4. To lodge a complaint regarding the Company’s actions (or inaction) and decisions related to personal data processing;
3.4.5. To access their personal data;
3.4.6. To restrict processing in case of a dispute;
3.4.7. To require notification to all parties who previously received inaccurate or incomplete personal data regarding corrections or additions made;
3.4.8. To supplement their personal data with a statement expressing their own viewpoint (in the case of evaluative data);
3.4.9. To exercise the right to data portability in a machine-readable format, where applicable.
3.5. Personal data is processed by the Company solely for the purposes specified in this Policy.
3.6. The processing of personal data received by the Company is carried out in accordance with legislative acts and the Company’s internal policies.
3.7. Personal data collected by the Company is not shared with third parties and is not subject to dissemination, except where required for compliance with applicable law.
4. Authorized Processors and Cross-Border Data Transfer
4.1. The Company may engage authorized third parties to process personal data.
4.2. Authorized processors shall process personal data based on a data processing agreement with the Company.
4.2.1. Authorized processors shall comply with GDPR requirements when processing data of EU citizens.
4.2.2. When transferring data to Meta Platforms Inc. (1601 Willow Road, Menlo Park, CA 94025, USA) for use of Meta platform APIs (e.g., Instagram, Facebook), the Company enters into agreements ensuring compliance with GDPR and Meta’s policies, including those concerning data protection and confidentiality.
4.3. Cross-border transfers of personal data are permitted where a valid legal basis exists.
4.4. Such transfers may occur based on the data subject’s consent, contract performance, or fulfillment of legal obligations.
4.5. When transferring data outside the Republic of Belarus, the Company ensures the application of appropriate legal mechanisms, including Standard Contractual Clauses (SCCs) or explicit consent of the data subject.
5. Rights and Obligations of Data Subjects
5.1. Data subjects have the following rights:
5.1.1. To receive full information about their personal data processed by the Company;
5.1.2. To access their personal data, including the right to obtain a copy of any record containing their personal data, except in cases provided by law;
5.1.3. To request rectification, blocking, or erasure of their personal data if the data is incomplete, outdated, inaccurate, unlawfully obtained, or no longer necessary for the stated purposes of processing;
5.1.4. To supplement their evaluative personal data with a statement expressing their personal viewpoint;
5.1.5. To request that all parties who previously received inaccurate or incomplete data be informed of the corrections or additions made;
5.1.6. To withdraw consent for the processing of their personal data;
5.1.7. To appeal the Company’s actions or inaction related to personal data processing in accordance with applicable law;
5.1.8. To exercise other rights provided by law.
5.2. Data subjects are obliged to:
5.2.1. Provide the Company with accurate personal data;
5.2.2. Promptly inform the Company of any changes or additions to their personal data;
5.2.3. Exercise their rights in accordance with the laws of the Republic of Belarus and the Company’s internal policies related to personal data processing and protection;
5.2.4. Fulfill other duties established by the laws of the Republic of Belarus and the Company’s internal regulations regarding personal data.
5.3. Personal data is processed based on the data subject’s consent. Consent is not required in cases provided for by the Personal Data Law, including but not limited to:
5.3.1. When the special personal data has been made publicly available by the data subject;
5.3.2. During employment relations or activities, where permitted by law;
5.3.3. For the purpose of pension provision or monthly allowances for certain categories of civil servants;
5.3.4. To administer justice, enforce court decisions, perform notarial acts, or handle inheritance rights;
5.3.5. To carry out administrative procedures;
5.3.6. To protect the life, health, or other vital interests of the data subject or others when obtaining consent is not possible;
5.3.7. When processing special personal data is necessary to fulfill legal obligations or authorities;
5.3.8. For organizing and conducting national statistical surveys and compiling official statistics;
5.3.9. When the processing of special personal data is explicitly authorized by the Personal Data Law or other legal acts;
5.3.10. For individual (personalized) records of insured persons for state social insurance, including professional pension insurance;
5.3.11. For scientific or other research purposes, provided the data is anonymized;
5.3.12. When the personal data is included in a document addressed and signed by the data subject, according to its content.
5.3.13. For carrying out administrative procedures;
5.3.14. To protect the life, health, or other vital interests of the data subject or others if obtaining consent is not possible.
5.4. Consent for the processing of personal data may be obtained by the Company in written form, as an electronic document, or in another legally valid electronic form.
5.5. A data subject may withdraw their consent for the processing of personal data at any time, without stating reasons, by submitting a corresponding request to the Company. The withdrawal request must comply with applicable law and include:
5.5.1. The subject’s full name and residential (or current) address;
5.5.2. The subject’s date of birth;
5.5.3. The subject’s identification number or, if not available, the number of the identity document provided when giving consent or in cases where processing is performed without consent;
5.5.4. A clear statement withdrawing consent for the processing of personal data;
5.5.5. The personal signature or digital signature of the data subject.
5.6. Upon receipt of a withdrawal request, the Company forwards the request to the designated official responsible for internal data protection compliance. This official is appointed by a Company order.
The authorized official must, within fifteen days, review the request, cease processing, delete the data, and notify the data subject — unless other legal grounds for continuing processing exist under the laws of the Republic of Belarus. If technical deletion is not possible, the Company must take steps to prevent further processing (including blocking the data) and notify the data subject within the same period.
For matters related to GDPR compliance, the data subject may contact the Company’s Data Protection Officer at vaichat.by@gmail.com or via the contact form at https://vai-chat.by.
6. Final Provisions
6.1. The security of personal data processed by the Company is ensured through legal, organizational, and technical measures aimed at protecting data from unauthorized or accidental access, alteration, blocking, copying, distribution, provision, deletion, or any other unlawful actions.
6.2. Compliance monitoring of the Company’s activities with personal data laws of the Republic of Belarus and internal policies is carried out to ensure proper processing, evaluate protective measures, identify unauthorized access, and eliminate potential consequences.
6.3. Internal compliance monitoring is performed by the designated person responsible for organizing personal data processing within the Company.
6.4. The person responsible for organizing data processing is also personally liable for ensuring compliance with Belarusian law and internal regulations, as well as for maintaining data confidentiality and security.
6.5. Internal control includes periodic verification of local procedures for compliance with legislation and international standards, including GDPR.
6.6. This Privacy Policy is publicly available, published on the official Company website, and enters into force on the date of its approval by the Company’s management.
6.7. The Company may update or amend this Policy to ensure its relevance and completeness regarding data processing procedures and the rights and obligations of the parties.
6.8. The Company undertakes to inform data subjects of any changes to this Policy by publishing an updated version on the official website and/or by other means at its discretion. For EU users, notice of material changes will be provided via email or the platform interface in accordance with GDPR (Articles 13–14).
6.9. Where the processing of personal data, including biometric data or profiling in the context of the AI assistant, poses a high risk to the rights and freedoms of data subjects, the Company will conduct a Data Protection Impact Assessment (DPIA) as required under Article 35 of the GDPR.