Privacy Policy for Kasa.az ERP Application
Effective date: 28 April 2025
Important notice:
This Privacy Policy explains in detail how Kasa.az (“we,” “our,” or “us”) collects, uses, discloses, and safeguards your information when you install, access, or use the Kasa.az ERP Application (the “App”). Please read it carefully. By using the App, you acknowledge that you have read and understood this Policy. If you do not agree, you must uninstall the App and discontinue all use.Although we drafted this document to reflect global best-practice (including the EU GDPR, UK GDPR, the California Consumer Privacy Rights Act (CCPA/CPRA), Türkiye’s KVKK, and Azerbaijan’s Law on Personal Data), it does not constitute legal advice. Local requirements may impose additional or different obligations.
1. Definitions
| Term | Meaning |
|---|---|
| Personal Data | Any information that identifies or can reasonably be linked to an identifiable natural person. |
| Location Data | Precise geographic coordinates collected from your device’s GPS, Wi-Fi, Bluetooth, or cell-tower triangulation. |
| Processing | Any operation performed on Personal Data (collection, storage, transmission, deletion, etc.). |
| Controller | The natural or legal person that determines the purposes and means of Processing Personal Data (here, Kasa.az). |
| Processor | A third party that Processes data on behalf of the Controller under a written contract. |
| Authorized Server | The backend host(s) you or your organization designate to receive Location Data via the App’s secure API. |
2. Scope and Applicability
This Policy applies to:
- End users who download, install, or run the App on iOS, Android, Harmony OS, or any supported platform; and
- Organizations (e.g., employers, delivery services, fleet operators) that configure the Authorized Server and distribute the App to their staff.
It governs online and offline data collection wherever the App operates, including:
- Foreground use (when the App is open).
- Background use (while minimized).
- Terminated state (“force-closed”) when the operating system still allows background-location callbacks.
3. Information We Collect
| Category | Examples | Source | Legal Basis* |
|---|---|---|---|
| Precise Location Data | Latitude, longitude, altitude, bearing, speed, timestamp, accuracy metrics. | Your device sensors & OS APIs. | Consent (GDPR Art. 6 (1)(a)); Contract performance (Art. 6 (1)(b)); Legitimate interest in real-time tracking (Art. 6 (1)(f)). |
| Device Information | Hardware model, OS version, device ID (e.g., Android ID, IDFV), battery level, network status. | Automatically from device. | Legitimate interest in service reliability & fraud prevention. |
| Usage Data | App launch time, screen views, error logs, API call latency. | Automatically via in-app telemetry. | Legitimate interest in product improvement. |
| Account Data (optional) | Name, employee ID, phone number, authentication token issued by your organization. | Provided by employer or you. | Contract performance; legitimate interest. |
*Additional grounds (e.g., compliance with a legal obligation or protection of vital interests) may apply in exceptional circumstances.
4. How We Use Your Information
- Provide Core Tracking Service – Transmit Location Data to your Authorized Server every few seconds, even while the App is in background, so dispatchers or supervisors can monitor fleets, verify deliveries, or ensure personal safety.
- Deliver In-App Features – Display your live location on a map, calculate distance traveled, show trip history, and issue real-time alerts (e.g., geofence events).
- Maintain Security & Integrity – Detect fraud, enforce rate limits, protect against denial-of-service attacks, and secure API traffic via TLS 1.3 and certificate pinning.
- Improve & Debug – Aggregate usage metrics to optimize battery consumption, fix crashes, and refine routing algorithms.
- Comply with Law – Satisfy record-keeping, audit, and lawful access obligations where required.
We never sell, rent, or monetize your Personal Data.
5. Background & “All-the-Time” Location Permission
The App requests the “Allow All the Time” / “Always Allow” permission so that it can:
- Continue sending Location Data when a driver turns off the screen while navigating.
- Support emergency-SOS or lone-worker safety functions after you exit the App.
- Recover gracefully after device reboot or OS upgrades.
Your Control: You may deny or revoke this permission at any time in your device settings or in the App’s Tracking Toggle. Doing so will suspend background transmission until you re-enable it.
6. Data Retention
| Data Type | Retention Period | Rationale |
|---|---|---|
| Location & Trip Logs | Default 30 days (configurable by organization) | Operational visibility without indefinite storage. |
| Device & Usage Logs | 90 days | Debugging and audit trail. |
| Account Data | Retained while your employment or service contract remains active; deleted within 30 days of deactivation. | Contractual necessity. |
Aggregated, non-identifiable analytics may be stored longer.
7. Sharing & Disclosure
We share Personal Data only in these circumstances:
- Authorized Server – Your organization’s backend that you explicitly configure in the App or via an MDM profile.
- Service Providers – ISO 27001-certified cloud hosts, push-notification gateways, and database vendors bound by strict Data Processing Agreements.
- Legal Requirements – Competent authorities when compelled by subpoena, court order, or similar legal process, provided we are not legally prohibited from notifying you.
- Business Transfers – In the unlikely event of a merger, acquisition, or asset sale, subject to confidentiality safeguards and continued protection consistent with this Policy.
We do not disclose precise Location Data to advertising networks, analytics platforms, or social-media partners.
8. International Data Transfers
The App’s default hosting region is Frankfurt, Germany (EU – AWS eu-central-1). Where international transfers occur (e.g., to the U.S.), we rely on:
- Adequacy decisions (GDPR Art. 45),
- Standard Contractual Clauses approved by the European Commission, and
- Supplementary technical measures (encryption in transit and at rest, zero-trust network architecture).
9. Security Measures
- End-to-end TLS 1.3 with Perfect Forward Secrecy.
- AES-256 encryption at rest, with keys stored in hardware security modules (HSMs).
- OAuth 2.1 / OpenID Connect for server-to-server authorization.
- Role-based access control and multi-factor authentication for our personnel.
- Annual penetration tests and continuous vulnerability scanning.
- Incident-response plan conforming to ISO 27035 and NIST SP 800-61.
No method of transmission is 100 % secure, but we strive for industry-leading protections.
10. Your Rights
Depending on your jurisdiction, you may have the right to:
| Right | Description |
|---|---|
| Access | Obtain a copy of the Personal Data we hold. |
| Rectification | Correct inaccurate or incomplete data. |
| Erasure | Request deletion (“right to be forgotten”). |
| Restriction | Limit Processing under certain conditions. |
| Portability | Receive data in a structured, machine-readable format. |
| Objection | Object to Processing based on legitimate interests. |
| Automated Decision-Making | Contest decisions made solely by algorithms (we do not perform such profiling). |
| Opt-Out (CCPA/CPRA) | Direct us not to share data for cross-context behavioral advertising (we already refrain). |
To exercise any right, email privacy@kasa.az or use the in-app Privacy Center. We will verify your identity and respond within the statutory deadline (30 days in the EU, 45 days in California).
11. Your Choices & Controls
- Tracking Toggle – Pause or resume background location transmission.
- Precision Slider – (Optional) Lower accuracy to coarse location to conserve battery.
- Clear History – Delete cached trip logs on device.
- Do Not Track Analytics – Opt-out of anonymous crash reports (Settings > Privacy).
- Push Notification Settings – Customize or disable alerts.
12. Third-Party Services & SDKs
The App intentionally contains no third-party advertising SDKs. We use only:
- Map Tile Provider – OpenStreetMap or Mapbox (telemetry disabled).
- Crash-Reporting Library – Sentry, configured to redact IP addresses.
Each provider is bound by contract to process data solely on our instructions.
13. Children’s Privacy
The App is not directed to children under 16. We do not knowingly collect Personal Data from minors. If you are a parent or guardian who believes your child has provided information, please contact privacy@kasa.az; we will promptly delete it.
14. Changes to This Policy
We may update this Policy to reflect legal, technical, or business changes. The “Effective date” above tells you when it last changed. Material changes (e.g., new data recipients or purposes) will be announced via:
- In-app banner requiring acknowledgment, and
- Email to the address on file (if provided),
at least 30 days before the new Policy takes effect.
15. Contact Us
Kasa.az
Caspian Software LLC
79B Nobel Ave., AZ1025 Baku, Azerbaijan
E-mail: privacy@kasa.az
Phone: +994 70 611 88 11
If you believe we have infringed your privacy rights, you may lodge a complaint with:
- The State Agency for Personal Data Protection of Azerbaijan, or
- Your local supervisory authority in the EEA/UK, or
- The California Privacy Protection Agency (for California residents).
16. Annex A – Data-Protection Impact Assessment (DPIA) Summary
Because continuous, background Location Data constitutes “high-risk” processing under GDPR Art. 35, we performed a full DPIA, concluding:
- Risks Identified: Re-identification, unwanted surveillance, physical security threats if data were breached.
- Mitigations Implemented: Strong encryption, granular consent, minimal retention, pseudonymization in analytics, regular security audits, employee training.
Full DPIA available on request under NDA.
17. Annex B – Technical Specification of Location Reporting
| Parameter | Value | Notes |
|---|---|---|
| Protocol | HTTPS, gRPC | TLS 1.3 enforced. |
| Payload Schema | JSON (RFC 8259) | {“lat”: float,“lon”: float,“ts”: ISO-8601,…}. |
| Frequency | Default 5 s (configurable 1-60 s) | Adaptive throttling when battery ≤ 15 %. |
| Compression | HTTP/2 HPACK + Brotli | Saves cellular data. |
| Authentication | JWT (HS256/RS256) | Token lifetime 24 h, refresh via OAuth 2.1. |
By continuing to use the Kasa.az ERP Application after reading this Policy, you affirm your consent to our Processing of Personal Data as described above. If you have questions, please reach out via the contact details in section 15.