CRM PHARMIT PRIVACY POLICY

1. Terms and Definitions

1.1. CRM PharmIT (hereinafter — the System) — software developed by PharmIT LLP, designed to automate the activities of pharmaceutical distribution companies, including customer base management, employee performance monitoring and efficiency analysis.

1.2. User — an employee of the client company (administrator, regional manager, medical representative) who has individual credentials to access the System.

1.3. Client — a legal entity (pharmaceutical distribution company) that has concluded an agreement with PharmIT LLP and provides access to the System to its employees.

1.4. Personal data — any information related to a directly or indirectly identified individual (User), including full name, position, contact phone number, email address, photograph and other information necessary for working in the System.

2. Subject and Purpose of Data Processing

2.1. This Policy defines the procedures for collecting, storing, processing and protecting personal data of Users obtained while using the web version and mobile application of CRM PharmIT.

2.2. The purpose of personal data processing is to ensure the functioning of the System, including:

authorization and identification of Users;
monitoring task execution and reporting;
planning and conducting visits;
route planning and comparison of actual movements with planned ones;
confirming visits to pharmacies, doctors and medical institutions;
providing notifications and mailings;
generating analytics and reporting for the Client;
analysis, improvement and development of the System;
ensuring technical support and security of the System.

3. Composition of Collected Data

3.1. The following categories of data are processed within the use of the System:

information about Users: full name, phone, email, position, photograph;
data about company clients: information about doctors, pharmacies, medical institutions;
technical information: IP address, device information, operating system, application version, application logs, internet connection information;
User location data;
photographs, documents and other files uploaded by the User to the System;
technical device identifiers used to deliver push notifications.

3.2. All data is provided by the Client and Users voluntarily in the process of using the System.

3.3. Use of Location Data

The CRM PharmIT mobile application collects User device location data using GPS, mobile network and Wi-Fi technologies.

Location data is collected:

while using the application;
in the background during the User's active work shift;
when performing route planning, visit monitoring and field activity tracking functions.

Location data collection begins after the User opens a work shift and stops after it ends.

Location data is used exclusively for:

building the actual movement route of the medical representative;
confirming visits to pharmacies, doctors and medical institutions;
recording the coordinates of the start and end of visits;
monitoring the execution of routes and visit activity plans;
generating reporting and analytics for the User's employer.

The System does not collect location data outside the User's active work shift.

Rebooting the User's device is not grounds for automatically starting location data collection. Geolocation data collection begins only after the User opens a work shift.

Use of background location access is a necessary condition for the functioning of the route monitoring and visit confirmation mechanism. Without granting this permission, certain functions of the mobile application may work incorrectly or be unavailable.

3.4. Use of the Camera

The mobile application may access the User's device camera to:

create photo reports for visits;
record product display;
confirm task completion;
attach photographs to reports and visit cards.

The application does not perform hidden photo or video recording.

3.5. Use of Device Photographs and Files

The mobile application may access device photographs and files exclusively to:

allow the User to select photographs and documents to upload to the System;
attach files to visits, reports and CRM objects;
ensure the application works in offline mode.

The application does not view, process or transfer files that were not selected by the User independently.

3.6. Notifications

To inform Users about tasks, visits, schedule changes and other events, the System may use push notifications.

Technical device identifiers necessary for the functioning of the relevant notification services may be used to deliver notifications.

3.7. Mobile Application Permissions Used

The CRM PharmIT mobile application may use the following device system permissions:

Permission	Purpose of Use
Geolocation (precise and approximate)	Determining the User's location, building routes and confirming visits
Background geolocation	Continuous route recording during an active work shift
Camera	Creating photo reports
Access to photographs and files	Uploading documents and photographs to CRM
Notifications	Informing the User about events and tasks
Internet and network state	Data synchronization and ensuring the application works

4. Data Processing and Use

4.1. Data processing is carried out exclusively for the purposes specified in Section 2 of this Policy.

4.2. Data is not transferred to third parties, except for:

cases provided for by the legislation of the Republic of Kazakhstan;
transfer of data to the System Client who is the User's employer, within the framework of performing CRM PharmIT functions.

4.3. Creation and configuration of User access rights are carried out on the Client side.

4.4. Access to data is limited and provided only to authorized employees of PharmIT LLP to the extent necessary to ensure the functioning of the System and technical support.

4.5. User location data is transferred to the User's employer, who is the Client of the CRM PharmIT system, exclusively for the purposes of monitoring the performance of official duties, analyzing field activity and generating reporting.

4.6. The User has the right to revoke previously granted permissions at any time through their device settings. Revoking permissions may lead to limitations in the functionality of certain features of the mobile application, including GPS tracking, photo capture of visits and file uploads.

5. Storage and Protection of Personal Data

5.1. Personal data is stored on secure servers located in the Republic of Kazakhstan.

5.2. PharmIT LLP takes the necessary organizational and technical measures to protect personal data from unauthorized access, modification, blocking, copying, distribution and destruction.

5.3. Personal data is stored for the duration of the agreement with the Client or within the periods established by the legislation of the Republic of Kazakhstan.

5.4. Location data, photographs, documents and other materials created or uploaded by the User in the course of performing job duties may be used by the System Client for the purposes of internal control, reporting, auditing and analysis of employee performance.

5.5. Route history and location data are stored for no more than 24 months, unless a different period is provided for by the legislation of the Republic of Kazakhstan or the agreement with the Client.

5.6. Use of Background Location Access

The CRM PharmIT mobile application uses the background location access permission exclusively during the User's active work shift.

Background access is necessary for:

building the actual movement route;
confirming visits to pharmacies, doctors and medical institutions;
monitoring the execution of visit activity plans;
generating employer reporting.

Data is not used for advertising purposes, marketing profiling, sale to third parties or tracking the User outside the work process.

6. User Rights

6.1. The User has the right to:

request information about their personal data;
require their correction, update or deletion;
withdraw consent to data processing.

6.2. To exercise rights, the User may contact the contact details specified in Section 8 of this Policy.

7. Liability of Parties

7.1. PharmIT LLP is not responsible for the actions of the Client that violate the rights of Users, including unlawful transfer or disclosure of personal data.

7.2. The Client is responsible for the accuracy and reliability of the data provided, as well as for the actions of its employees who have access to the System.

8. Contact Information

PharmIT Limited Liability Partnership

Legal/Actual address: 050042, Almaty, Zhandosov str. 98, office 603, Navoi Towers BC

BIN: 130940016074

IIK: KZ09998CTB0001027586 (KZT)

BIK: TSESKZKA

Bank: АО «Jusan Bank»

E-mail: info@pharmit.kz

9. Final Provisions

9.1. Use of CRM PharmIT by the User means agreement with the terms of this Policy.

9.2. PharmIT LLP reserves the right to change the Privacy Policy. The current version is always available upon Client request.