Privacy policy

Last updated: 31.12.2024

PRIVACY POLICY

for the Invictus Website and Mobile Application

 

This Privacy Policy (the Policy) sets out the procedure for the collection, use, storage, transfer and protection of personal data of Users when using the website https://invictus.kz, the Invictus mobile application, the User Account and other Invictus digital services (collectively, the Service).

The Service is administered by GOPASS PLATFORM LLP, BIN 221040004076 (the Company, the Service Operator).

This Policy is a separate document and applies together with the User Agreement, the terms of specific offers, club rules, public offers of Partners, User consents and other documents posted in the Service.

This Policy applies to all Users of the Service regardless of their country of residence or location, unless otherwise provided by local terms, separate consents or mandatory requirements of applicable law.

By using the Service, the User confirms that they have read this Policy. Where applicable law requires the User’s separate consent for certain types of data processing, such processing is carried out only after the relevant consent has been obtained.

 

1. TERMS

1.1. Service means the Invictus website, mobile application, User Account, electronic forms, notifications, interfaces and other digital tools.

1.2. Company means GOPASS PLATFORM LLP, acting as the operator of the Service.

1.3. User means an individual using the Service.

1.4. Partner means a legal entity, individual entrepreneur or any other person placing offers in the Service for the sale of memberships, goods, works, services, consultations, digital products or other offerings.

1.5. Personal Data means any information relating to the User that directly or indirectly identifies, or may identify, the User.

1.6. Processing of Personal Data means any action performed with Personal Data, including collection, recording, systematization, storage, modification, use, transfer, anonymization, restriction, deletion or destruction.

1.7. Membership, User Account, Order and Content have the meanings assigned to them in the User Agreement.

 

2. GENERAL PRINCIPLES OF DATA PROCESSING

2.1. The Company processes Personal Data lawfully, fairly, transparently and only to the extent necessary for the purposes specified in this Policy.

2.2. The Company does not collect Personal Data unnecessarily and does not use it for purposes incompatible with this Policy, the User Agreement, the terms of a specific offer or applicable law.

2.3. The Company takes reasonable organizational, technical and legal measures to protect Personal Data against unlawful access, loss, alteration, disclosure, destruction or other unlawful use.

2.4. The User is responsible for the accuracy, relevance and completeness of the data provided during registration, placement of an Order, communication with support or use of the Service.

2.5. If the User provides data of a third party, including a minor, the User confirms that they have the necessary authority or consent of such person or their legal representative.

 

3. CATEGORIES OF PERSONAL DATA

3.1. Depending on how the Service is used, the Company may process the following categories of data.

3.1.1. Identification data

  • surname, first name, patronymic or other display name;

  • date of birth;

  • gender, if indicated by the User or required for a specific service;

  • citizenship, document or identification number, where necessary for compliance with legal requirements, identification, refund, installment payment, participation in a promotion or other legally significant operation;

  • photograph or other image of the User, if visual identification is used.

3.1.2. Contact data

  • phone number;

  • email address;

  • delivery address, if the User orders delivery of goods;

  • other contact details provided by the User.

3.1.3. User Account and Service usage data

  • unique User identifier;

  • date and time of registration;

  • history of logins and actions in the Service;

  • history of Orders, purchases, refunds, requests and claims;

  • information about Memberships, their activation, validity period, freezing, re-registration and use;

  • information about visits to clubs, if such data is generated by the access control system or the Partner’s rules;

  • reviews, requests and correspondence with support.

3.1.4. Payment data

  • payment amount;

  • payment date and status;

  • transaction identifier;

  • payment method;

  • partially masked bank card data, for example the last four digits;

  • information about refunds, installment payments, receipts and payment confirmations.

The Company does not store the full bank card number or CVV/CVC code, unless otherwise provided by the payment solution used and the requirements of applicable law. Payments may be processed by banks, payment organizations, payment aggregators or other authorized persons.

3.1.5. Technical and analytical data

  • IP address;

  • device type;

  • operating system and its version;

  • application or browser version;

  • language, regional settings and time zone;

  • data from cookies, SDKs, pixels, local storage and similar technologies;

  • information about errors, failures, performance and security of the Service;

  • anonymized or aggregated data on the use of the Service.

3.1.6. Geolocation data

The Company may process the User’s location data if such function is enabled on the User’s device or is necessary to provide a specific function of the Service, such as selecting the nearest club, displaying relevant offers or checking the availability of a service.

3.1.7. Biometric data and identification tools

The Company and/or Partners may process a photograph, facial image, biometric template or other identification data only where necessary for club access, prevention of transfer of a Membership to third parties, security purposes or compliance with the rules of a specific club, and subject to the User’s separate consent where such consent is required by applicable law.

 

4. PURPOSES OF PERSONAL DATA PROCESSING

4.1. The Company processes Personal Data for the following purposes:

  • registration, authorization and management of the User Account;

  • identification of the User;

  • provision of access to Service functions;

  • placement, confirmation, performance and support of Orders;

  • activation, use, freezing, re-registration and administration of Memberships;

  • provision of access to clubs and other facilities of Partners;

  • processing of payments, refunds, receipts, installment payments and other financial operations;

  • provision of technical and customer support;

  • review of User requests, complaints, claims and inquiries;

  • sending service, technical, informational and legally significant notifications;

  • ensuring the security of the Service, preventing fraud, abuse, unauthorized access and transfer of Memberships to third parties;

  • improving the quality of the Service, diagnosing errors, conducting analytics and developing functionality;

  • conducting promotions, loyalty programs, surveys and marketing activities where the necessary consent has been obtained;

  • compliance with applicable law, court decisions, requests of public authorities and other legal obligations;

  • protection of the rights and legitimate interests of the Company, Users, Partners and third parties.

4.2. The Company does not use Personal Data for automated decision-making that produces significant legal effects for the User, unless otherwise expressly provided by the terms of a specific service, the User’s separate consent or applicable law.

 

5. LEGAL BASES FOR PROCESSING

5.1. Depending on the User’s country and applicable law, Personal Data may be processed on one or more of the following legal bases:

  • the User’s consent;

  • the necessity to perform a contract or take steps at the User’s request before entering into a contract;

  • the necessity to comply with obligations provided by applicable law;

  • the legitimate interest of the Company, Partners or third parties, provided that such interest does not violate the rights and freedoms of the User;

  • the necessity to protect the life, health, safety or legitimate interests of the User or other persons;

  • other legal bases provided by applicable law.

5.2. Separate consent may be requested, in particular, for:

  • processing of biometric data;

  • receipt of advertising and marketing messages;

  • use of certain categories of cookies and analytical tools;

  • transfer of data to certain categories of third parties, where such consent is required by law;

  • processing of a minor’s data, where applicable law requires the consent of a legal representative.

5.3. The User may withdraw consent in the cases and manner provided by applicable law. Withdrawal of consent does not affect the lawfulness of processing carried out before such withdrawal and does not always mean immediate deletion of all data, if their retention is necessary for compliance with law, performance of a contract, protection of rights or resolution of disputes.

 

6. TRANSFER OF DATA TO THIRD PARTIES

6.1. The Company may transfer Personal Data to third parties only to the extent necessary for the purposes specified in this Policy, the User Agreement, the terms of a specific offer or applicable law.

6.2. Data may be transferred to the following categories of recipients:

6.2.1. Partners

Data may be transferred to Partners for the placement and performance of Orders, provision of services, activation of Memberships, organization of club access, review of claims, refunds and other requests.

Transferred data may include name, contact details, information about the Order, Membership, payment, service status, visits and requests, as well as a photograph or identification data where necessary for access or security.

6.2.2. Payment and financial organizations

Data may be transferred to banks, payment organizations, payment aggregators, installment payment services and other financial organizations for payment processing, refunds, transaction confirmation, fraud prevention and performance of financial obligations.

6.2.3. Technical providers and contractors

Data may be transferred to hosting providers, cloud services, CRM systems, notification services, support services, analytics, security, development and technical maintenance providers of the Service.

6.2.4. Marketing and analytics services

Where the necessary consent or another legal basis exists, data may be processed using analytics, advertising and marketing tools to analyze the operation of the Service, improve the user experience, display relevant offers and assess the effectiveness of communications.

6.2.5. Public authorities and other authorized persons

Data may be disclosed to public authorities, courts, law enforcement authorities, regulators, notaries, auditors, consultants or other persons if such disclosure is required by applicable law, an official request, a court decision, for the protection of rights or for the resolution of a dispute.

6.3. The Company takes reasonable measures to ensure that third parties receiving Personal Data use it only for agreed purposes and ensure an appropriate level of protection.

6.4. Partners and certain service providers may independently determine the purposes and means of processing data in relation to the services they provide. In such cases, they are independently responsible for processing data in accordance with their own documents and applicable law.

 

7. INTERNATIONAL DATA TRANSFER

7.1. Since the Service may be used by Users from different countries, and certain technical, payment, analytical and other providers may be located in different jurisdictions, Personal Data may be transferred to and processed outside the User’s country of residence or location.

7.2. International data transfer is carried out where there is a legal basis and in compliance with the requirements of applicable law.

7.3. The Company seeks to use providers and safeguards that ensure an appropriate level of Personal Data security, including contractual confidentiality obligations, technical protection measures and other applicable mechanisms.

 

8. COOKIES, SDKs AND ANALYTICAL TECHNOLOGIES

8.1. The Service may use cookies, SDKs, pixels, web beacons, local storage and similar technologies for the operation of the Service, authorization, security, saving settings, analytics, improvement of user experience and, where the necessary consent has been obtained, marketing purposes.

8.2. The technologies used may include:

  • strictly necessary cookies and technologies required for the operation of the Service;

  • functional cookies that remember User settings;

  • analytical cookies and SDKs that help evaluate the operation of the Service and fix errors;

  • marketing cookies and pixels used for advertising and evaluation of its effectiveness where the necessary consent has been obtained.

8.3. The User may restrict or disable cookies in the browser or device settings. Disabling certain technologies may result in some Service functions becoming unavailable or working incorrectly.

8.4. If a consent management center or similar tool is implemented in the Service, the User may manage certain categories of cookies and analytical technologies through such tool.

 

9. BIOMETRIC DATA AND PHOTO IDENTIFICATION

9.1. The Company and/or Partners may use the User’s photograph, facial image, biometric template or other identification tools for the following purposes:

  • confirming the User’s identity;

  • providing access to a club or certain areas;

  • preventing the transfer of a Membership to third parties;

  • maintaining access control;

  • ensuring security and preventing fraud.

9.2. Biometric data is processed only with the User’s separate consent where such consent is required by applicable law.

9.3. The User may refuse to provide biometric data or withdraw previously given consent if such right is provided by applicable law.

9.4. Refusal to provide biometric data may result in the impossibility of automatic access to a club or use of certain functions of the Service. In such case, the Company and/or Partner may offer another available method of identification if it is provided by the rules of the relevant club or the technical capabilities of the Service.

9.5. Biometric data and photographs are stored no longer than necessary for the purposes of their processing, unless a longer retention period is required by applicable law, contract, protection of rights or dispute resolution.

 

10. DATA RETENTION PERIODS

10.1. The Company stores Personal Data no longer than necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by applicable law.

10.2. The retention period may depend on the category of data and purpose of processing, including:

  • the duration of the User Account;

  • the validity period of a Membership or performance of an Order;

  • periods for reviewing requests, claims and disputes;

  • retention periods for accounting, tax, payment and other legally significant documents;

  • periods necessary to protect the rights and legitimate interests of the Company, the User, Partners or third parties.

10.3. After the purposes of processing have been achieved or the applicable retention period has expired, data is deleted, anonymized or archived in accordance with the Company’s internal procedures and applicable law.

 

11. PROTECTION OF PERSONAL DATA

11.1. The Company applies reasonable technical and organizational measures to protect Personal Data, including, where applicable:

  • access rights separation;

  • use of secure data transmission channels;

  • encryption or other methods of protection for certain categories of data;

  • access control and monitoring;

  • backup copying;

  • protection against malicious software and unauthorized access;

  • internal confidentiality rules for employees and contractors;

  • review and restriction of access by service providers.

11.2. Despite the measures taken, no method of data transmission or storage can be absolutely secure. The User must also take measures to protect their User Account, password, device, email and phone number.

11.3. If a security incident is identified, the Company takes measures to investigate it, minimize its consequences and notify Users or authorized authorities where such notification is required by applicable law.

 

12. USER RIGHTS

12.1. Depending on applicable law, the User may have the right to:

  • obtain information on whether the Company processes their Personal Data;

  • access their Personal Data;

  • request correction of inaccurate or incomplete data;

  • request deletion of data;

  • request restriction of processing;

  • object to data processing;

  • withdraw consent to data processing;

  • request data portability, if such right is provided by applicable law;

  • opt out of advertising and marketing messages;

  • file a complaint with the competent personal data protection authority.

12.2. To exercise their rights, the User may contact the Company through the Service, support service, email or other contact channels specified in this Policy.

12.3. The Company may request additional information from the User that is necessary to verify identity and review the request.

12.4. The Company reviews User requests within the time limits provided by applicable law. If a request cannot be fulfilled in whole or in part, the Company informs the User of the reason for refusal or restriction, where such notice is permitted by applicable law.

12.5. Deletion of certain data may make it impossible to use the Service, User Account, Membership or certain functions if such data is necessary for their provision.

 

13. DATA OF MINORS

13.1. The Service may be used by minors only subject to the requirements of applicable law, the User Agreement, the rules of the specific club and the terms of the relevant offer.

13.2. If the consent of a legal representative is required for the processing of a minor’s data, such processing is carried out only where the relevant consent has been obtained.

13.3. If the Company becomes aware that a minor’s data has been provided without the necessary consent of a legal representative, the Company may restrict access to the Service, request confirmation of consent or delete the relevant data, unless its further storage is required by law or for the protection of rights.

 

14. MARKETING MESSAGES

14.1. The Company may send the User advertising and marketing messages about products, services, promotions, special offers, events and news of Invictus and/or Partners where the necessary consent or another legal basis exists.

14.2. The User may opt out of advertising and marketing messages using the method specified in the message, in the Service settings, through support or by any other available method.

14.3. Opting out of advertising and marketing messages does not stop the sending of service, technical, transactional and legally significant notifications related to the use of the Service, Orders, payments, Memberships, security and User requests.

 

15. THIRD-PARTY SERVICES AND LINKS

15.1. The Service may contain links to websites, applications, payment pages, services of Partners, banks, payment organizations, social networks, app stores or other third parties.

15.2. The Company does not control the way such third parties process Personal Data where they act independently. The User is advised to read their privacy policies and terms of use.

15.3. The User’s transition to a third-party website or use of a third-party service is subject to the terms of the relevant third party.

 

16. AMENDMENTS TO THIS POLICY

16.1. The Company may amend this Policy unilaterally.

16.2. The new version of the Policy is posted in the Service and becomes effective from the moment of posting, unless another effective date is specified in the new version.

16.3. Continued use of the Service after the new version of the Policy takes effect means that the User has read the updated version.

16.4. If amendments require the User’s separate consent under applicable law, the relevant processing is carried out after such consent has been obtained.

 

17. CONTACT INFORMATION

For matters related to this Policy, the processing of Personal Data, the exercise of User rights or withdrawal of consent, the User may contact the Company through:

  • the Service functionality or support section;

  • the Company’s email;

  • postal mail to the Company’s legal address.

GOPASS PLATFORM LLP
BIN: 221040004076
Legal address: 010000, Astana, st. Kayim Mukhamedkhanov, 9, office 11
Website: https://invictus.kz
Email: support@invictus.kz
Phone: +7 707 108 0008

 

18. USER CONFIRMATION

By using the Service, the User confirms that they:

  • have read this Policy;

  • understand which categories of Personal Data may be processed when using the Service;

  • understand the purposes of data processing and the possible transfer of data to Partners, payment organizations, technical providers and other persons in the cases provided by this Policy;

  • understand that certain types of processing may require separate consent;

  • may exercise their rights in relation to Personal Data in the manner provided by this Policy and applicable law.