Privacy policy and personal data processing

CJSC MCC “Bailyk Finance”

  1. General provisions
    • This Privacy and Personal Data Processing Policy (hereinafter “the Policy”) has been developed in accordance with the requirements of the Digital Code of the Kyrgyz Republic (hereinafter “DC KR”), including Chapter 11 of the DC KR regulating the processing of personal data, regulatory legal acts (hereinafter “RLA”) of the National Bank of the Kyrgyz Republic, and other RLAs of the Kyrgyz Republic.
    • The Policy establishes the legal and organizational bases for the processing of personal data by the Closed Joint-Stock Company Microcredit Company “Bailyk Finance” (hereinafter “the Company”) and applies to all categories of personal data subjects whose data are processed by the Company in connection with its activities.
    • The Policy is a public document, published on the Company’s website https://bf.kg/ (hereinafter “the Website”) and in the “Bailyk 24” Mobile Application (hereinafter “the Mobile Application”), and applies jointly with other Company documents governing personal data processing, including: the Public Offer on the use of the Mobile Application and its Annex 1 (Consent to Personal Data Processing), the Loan Agreement and other civil law agreements concluded with personal data subjects, as well as the Company’s internal regulatory documents.
  2. Terms and Definitions

The following terms and abbreviations are used in this Policy:

Company — Closed Joint-Stock Company Microcredit Company “Bailyk Finance”, the owner of personal records in accordance with Article 1 of the DC KR, independently determining the purposes and methods of personal data processing.

Personal Data Subject — a natural person to whom the personal data being processed relate. Depending on the context, the subject may be:

  • Website Visitor — any natural person visiting the Website without entering into a contract;
  • Prospective Client — a natural person who has submitted a consultation request or online credit/financing application via the Website;
  • Client — a natural person aged 18 or above with full legal capacity and capacity to act, who has entered into a Loan Agreement and/or other civil law agreement with the Company;
  • Mobile Application User — a natural person who has been identified at a Company office, signed the Agreement of Participants in Digital Legal Relations, and registered in the Mobile Application;
  • Partner / Prospective Supplier — a natural or legal person who has submitted a partnership application via the Website.

Personal Data — digital data containing personal information, i.e. information about a natural person who can be identified either on the basis of that information or in combination with other information to which the Company has access.

Special Categories of Personal Data — categories of personal data whose processing requires a separate legal basis: health data, data on racial or ethnic origin, political views, religious beliefs, trade union membership, and genetic information.

Processing of Personal Data — any action (operation) or set of actions performed with personal data, including collection, recording, organization, structuring, accumulation, storage, adaptation, alteration, use, disclosure by transmission, dissemination, alignment, deletion, or destruction.

Processor — a participant in digital legal relations to whom the Company has entrusted personal data processing under a contract.

Cross-border Transfer — transfer of personal data to record owners under the jurisdiction of other states.

Subject’s Consent — a voluntary, specific, informed, and conscious expression of will by the personal data subject regarding the processing of their personal data, given in any form that allows confirmation of its receipt. Consent may be withdrawn by the subject in a manner no more burdensome than the procedure for its provision.

Mobile Application — the “Bailyk 24” software application for Android and/or other supported operating systems, designed for the User to access Company services.

Loan Agreement — an agreement concluded between the Company and the Client providing for the issuance of a microloan and defining the terms of its disbursement, use, and repayment.

ABS — the Company’s automated banking system.

PWD — person with a disability.

AML/CFT — anti-money laundering and countering the financing of terrorism, in accordance with the Law of the Kyrgyz Republic “On Countering the Financing of Criminal Activities and Legalization (Laundering) of Criminal Proceeds” dated 6 August 2018 No. 87.

  1. Categories of Personal Data Subjects and Legal Bases for Processing

The Company processes personal data where at least one of the grounds provided for in Article 79 of the DC KR is present:

  1. necessity to conclude or perform a contract to which the subject is a party;
  2. fulfilment of obligations established by the legislation of the Kyrgyz Republic;
  3. pursuit of the Company’s legitimate interests, provided that the subject’s rights are respected;
  4. consent of the personal data subject — in the absence of other grounds.

3.1.      Website Visitor

  • When visiting the Website, the Company automatically receives technical data: IP address, browser and device data, cookies, and data on Website behavior. Collection is carried out in part via the Google Analytics service.
  • Processing is performed on the basis of the Company’s legitimate interest for the purpose of ensuring the Website’s operation, its security, and improving service quality.

3.2.      Prospective Client

  • The following forms are available on the Company’s Website:
  • “Consultation Request” form — the subject provides the subject of the enquiry, name, and mobile phone number. Data are forwarded to the Company’s Contact Centre. Processing is performed on the basis of pre-contractual measures at the subject’s initiative;
  • “Online Application” form — the subject provides full name, email address, phone number, financing amount and term, financing purpose, and comments, and may indicate the need for home-visit service (“I require home-visit service (PWD)”). Data are forwarded to the Company’s Contact Centre. Processing is performed on the basis of pre-contractual measures at the subject’s initiative and the subject’s consent given by clicking the “Submit” button. The home-visit service indication is informational — the final PWD status is recorded by an authorized Company employee upon the subject’s personal visit to the office.

3.3.      Client

  • A natural person who has entered into a Loan Agreement and/or other civil law agreement with the Company at a Company office.
  • Processing is performed on the basis of contract performance, legislative requirements (including AML/CFT), and the Client’s consent drawn up as a separate document signed by hand.

3.4.      Mobile Application User

  • A natural person who has been identified at a Company office and registered in the Mobile Application by accepting the Public Offer. Registration in the Mobile Application is voluntary and is not a mandatory condition for entering into a Loan Agreement.
  • Currently, the Mobile Application is available only to existing Clients who have registered and been identified at Company offices.
  • Processing is performed on the basis of the Public Offer and its Annex 1 (Consent to Personal Data Processing) accepted by the User.

3.5.      Partner / Prospective Supplier

  • When completing the “Become a Partner” form on the Website, the subject provides the legal name of the organization, contact person’s full name, phone number, and email address.
  • Processing is performed on the basis of pre-contractual measures at the subject’s initiative and consent expressed by clicking the “Submit Application” button.
  1. Categories of Personal Data Processed

4.1.       Website Visitor Data (collected automatically):

  • IP address;
  • browser data (type, version, language);
  • device data (type, operating system);
  • cookies;
  • Website behavior data (pages visited, time on Website).

4.2.       Prospective Client Data:

  • “Consultation Request” form:
  • name (free form);
  • mobile phone number;
  • subject of enquiry (free form).
    • Online Application:
  • full name;
  • email address;
  • phone number;
  • financing amount and term;
  • financing purpose;
  • comments (free form);
  • home-visit service indication (PWD) — informational; PWD status is recorded in the Company’s ABS by an authorized employee upon the subject’s personal visit to the office.
    • QR loan repayment service:
  • taxpayer identification number (TIN) — entered by the subject and transmitted to the Company’s payment partner to generate a payment order.
  • The type of product selected (classic credit or Islamic financing) is recorded for correct payment routing.

4.3.       Client Data:

  • Provided by the Client when entering into a contract:
  • surname, first name, patronymic (if applicable);
  • gender;
  • date of birth;
  • citizenship;
  • personal identification number (PIN);
  • series, number, date of issue and expiry of identity document, name of issuing authority;
  • residential address (actual and registered);
  • marital status and family composition;
  • phone number;
  • email address;
  • place of work, position;
  • salary and other income;
  • information on assets and liabilities;
  • bank account or other electronic payment instrument details;
  • information on education and employment history.
    • Received from third parties with the Client’s consent:
  • data from credit bureaus and mobile network operators;
  • information from the Social Fund of the Kyrgyz Republic;
  • information from the State Registry of National Passports of KR Citizens (Ministry of Digital Development of KR, State Enterprise “Kyzmat”);
  • data from the National Integrated Cadastral System;
  • information from other lawful sources.
    • Collected during servicing:
  • information on transactions performed and credit history;
  • records of enquiries to the Company’s Contact Centre;
  • other data necessary for contract performance.

4.4.       Mobile Application User Data:

  • login (mobile phone number), PIN code;
  • mobile device data: model, OS version, unique device identifiers;
  • data on actions and requests performed in the Mobile Application;
  • anonymized Mobile Application usage statistics;
  • other data necessary for providing services through the Mobile Application.

4.5.       Partner / Prospective Supplier Data:

  • legal name of the organisation;
  • contact person’s full name;
  • phone number;
  • email
  1. Processing of Health Data
    • In accordance with Article 80 of the DC KR, health data are a special category of personal data and require a separate legal basis for processing.
    • The Company processes information on whether a Client has the status of a person with a disability (PWD). The status is recorded by an authorized Company employee in the ABS on the basis of a document presented by the Client upon visiting the office. A subject who indicated the need for home-visit service in an online application via the Website informs the Company of their preference — the final status is recorded by an authorized employee upon the subject’s personal visit to the office.
    • Data are processed exclusively for the purpose of organizing appropriate service. The legal basis is the subject’s explicit expression of will.
    • The Company applies additional protection measures to health data and does not process them for purposes other than those specified in this Policy.
  2. Purposes of Personal Data Processing
    • The Company processes personal data for the following predetermined and lawful purposes:
  • Identification and verification of the personal data subject.
  • Conclusion and performance of the Loan Agreement and other civil law agreements.
  • Assessment of the Client’s creditworthiness and solvency, verification of credit information.
  • Disbursement, servicing, and repayment of microloans, monitoring of active loans.
  • Ensuring the operation and technical functioning of the Mobile Application and Website, improving service quality.
  • Security, prevention of fraudulent actions and unauthorized access.
  • Interaction with subjects: notifications, consultations, handling of enquiries and complaints.
  • Informing about the Company’s products and services (with the right to opt out of promotional messages via Mobile Application settings or by contacting the Contact Centre).
  • Fulfilment of KR legislative requirements, including AML/CFT, enforcement of court and other authorities’ orders.
  • Storage of documents in accordance with archival retention periods established by KR legislation.
  • Review of applications from prospective partners and suppliers.
  • Ensuring Website operation and analyzing its use (web analytics).
  • Organizing appropriate service for PWDs.
    • The Company ensures that the volume of data processed corresponds to the stated processing purposes and takes measures to eliminate any excess.
  1. Principles of Personal Data Processing
    • The Company processes personal data in accordance with the following principles:
  • Lawfulness, fairness, and transparency — processing is carried out on lawful grounds, openly with respect to the subject.
  • Purpose limitation — data are processed only for specific, predetermined, and lawful purposes; change of purpose without the subject’s consent is not permitted.
  • Data minimization — the volume of data processed does not exceed what is necessary to achieve the processing purpose.
  • Accuracy — the Company takes measures to ensure the accuracy, adequacy, and currency of data.
  • Storage limitation — data are stored no longer than required by processing purposes or legislation.
  • Integrity and confidentiality — processing is carried out with the application of organizational and technical protection measures against unauthorized access, destruction, or damage to data.
    • The Company is responsible for compliance with these principles and must be able to demonstrate such compliance.
  1. Transfer of Personal Data to Third Parties

8.1.       General Rule

The Company does not transfer personal data of subjects to third parties, except in the following cases:

  • the subject has given explicit consent to the transfer;
  • the transfer is necessary for the performance of a contract with the subject;
  • the transfer is provided for by the legislation of the Kyrgyz Republic.

8.2.       Internal Structural Divisions of the Company

  • Access to personal data is granted only to those Company employees for whom it is necessary to perform their job duties. Applications submitted via the Website (consultation request, online application, partnership application) are forwarded to the Company’s Contact Centre.
  • Loan applications submitted through the Mobile Application are forwarded to Company office employees for further processing and decision-making.

8.3.       Processors

  • The Company may engage processors under a contract. Processors include:
  • the Company’s payment partners — for processing loan repayment requests, including via the QR service on the Website (the subject’s TIN is transmitted to the payment partner to generate a payment order);
  • other organizations engaged to support the Company’s operations under a contract.
    • The Company ensures the processor’s compliance with DC KR requirements regarding personal data processing.

8.4.       Third Parties Under Legislative Requirements

  • The Company transfers personal data to state authorities, credit bureaus, the Social Fund, courts, and other authorized bodies in the cases and manner provided for by the legislation of the Kyrgyz Republic, including in compliance with AML/CFT requirements.

8.5.       Cross-border Transfer

  • The Company carries out cross-border transfer of personal data in the following cases:
  • use of the Google Analytics service on the Website involves the transfer of technical data of Website Visitors (IP address, browser data, Website behavior) to Google servers located outside the Kyrgyz Republic. The transfer is carried out on the basis of the Company’s legitimate interest;
  • transfer of subjects’ personal data to third parties under the jurisdiction of other states is carried out on the basis of the subject’s consent to cross-border transfer, or where such transfer is necessary for the conclusion or performance of a contract to which the subject is a party, in accordance with Article 89 of the DC KR.

8.6.       Third-Party Data

  • If a Client transmits to the Company personal data of third parties (e.g., guarantors, family members), the Client confirms that they have obtained those persons’ consent to the collection, processing, and transfer of the specified data.
  1. Personal Data Retention Periods
    • The Company retains personal data for no longer than required by the purposes of their processing. Upon achieving the processing purposes or upon the loss of necessity to achieve them, personal data are subject to deletion or anonymization, unless a different period is established by legislation.
    • Retention periods by subject category:
  • Website Visitor data (cookies, logs) — for the period necessary to achieve the processing purpose, unless otherwise established by legislation;
  • Prospective Client data (Website applications) — for the period necessary for reviewing the application and making a decision, unless otherwise established by legislation;
  • Client data under the Loan Agreement — no less than the term of the agreement and the periods established by the List of Principal Documents Generated in the Activities of Commercial Banks and Financial Credit Organizations Licensed by the National Bank of the Kyrgyz Republic, approved by Resolution of the Board of the National Bank of the Kyrgyz Republic dated 27 August 2004 No. 22/9;
  • Mobile Application User data — no less than the term of any agreement concluded with the Company, unless otherwise established by legislation;
  • Partner / Prospective Supplier data — for the period necessary for reviewing the application and making a decision, unless otherwise established by legislation.
    • Grounds for early deletion of data are provided for in Article 83 of the DC KR, including: the data are no longer necessary for processing purposes; the subject has withdrawn consent in the absence of other legal grounds; the subject has submitted a justified objection to processing.
  1. Rights of Personal Data Subjects
    • Each personal data subject has the right to:
  • Receive information about the processing of their personal data, including purposes, legal bases, categories of data, retention periods, and list of recipients.
  • Access their personal data and copies of records containing them.
  • Request clarification and correction of incomplete or inaccurate data.
  • Request deletion of personal data where grounds provided for in Article 83 of the DC KR exist.
  • Submit an objection to the processing of personal data by certain methods or for certain purposes. The Company is obliged to consider the objection and send a reasoned response within 7 (seven) business days.
  • Request restriction of processing in cases provided for in Article 85 of the DC KR.
  • Withdraw consent to the processing of personal data. Withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal. Upon withdrawal of consent, the Company may continue processing where other grounds provided for in Part 1 of Article 79 of the DC KR exist.
  • Appeal the Company’s decisions to the sectoral personal data regulator or to a court.
    • To exercise their rights, the personal data subject sends a written request to the Company at callcenter@bf.kg or via the Contact Centre phone numbers indicated on the Website.
    • The Company reviews the request and sends a reasoned response within 7 (seven) business days.
  1. Personal Data Protection Measures
    • The Company takes necessary organizational and technical measures to protect personal data from unauthorized or unlawful access, destruction, alteration, blocking, copying, or dissemination, including:
  • appointment of an employee responsible for personal data processing at the Company;
  • restriction of access to personal data — only for Company employees who require it for their work;
  • application of technical information security tools;
  • organization of employee training on personal data processing rules;
  • storage of data on Company servers located in the Kyrgyz Republic (except for cross-border transfer cases specified in Section 7.5 of this Policy).
  1. Obligations of Personal Data Subjects
    • Personal data subjects are obliged to:
  • provide the Company with only accurate data about themselves;
  • provide data in the volume necessary for the processing purpose;
  • notify the Company in a timely manner of any changes to their personal data.
  1. Final Provisions
    • All matters related to the processing of personal data not regulated by this Policy are governed by the DC KR and other applicable legislation of the Kyrgyz Republic.
    • The Company reserves the right to amend this Policy unilaterally. A new version takes effect from the moment of its publication on the Website and/or in the Mobile Application, unless the new version provides otherwise. Continued use of the Company’s services after the amendments take effect constitutes the subject’s agreement to the updated Policy.
    • This Policy has been developed taking into account the requirements of the DC KR, RLAs of the National Bank of the Kyrgyz Republic, and other RLAs of the Kyrgyz Republic.
    • For all matters related to personal data processing, the subject may contact:
  • by email: callcenter@bf.kg;
  • by Contact Centre phone: 0(220) 991-111, 0(559) 991-111, 0(509) 991-111;
  • by address: Bishkek, 170, Fatyanova St., 2nd floor.

Any questions left?

You can leave a request for advice from the sales manager using this form




    petal