Privacy Policy
PRIVACY POLICY OF TITLE BROKER INTERNATIONAL LTD.
1. General Provisions
1.1 Purpose and Scope
This Privacy Policy (the “Policy”) sets out how Title Broker International Ltd. (hereinafter the “Company”, “TBI”, “we”, “us”) collects, uses, stores, shares and protects Personal Data in the context of its Internet resource http://titul-broker.kz (the “Website”) and any related online portals, forms, tools and services. This Policy applies to Website visitors, prospective and existing clients, and other individuals who interact with TBI through the Website.
1.2 Governing Law and Compliance Framework
This Policy is governed by the AIFC legal framework, including AIFC Data Protection Regulations No. 10 of 2017 (“AIFC DPR”) and AIFC Data Protection Rules (together, the “AIFC Data Protection Legislation”), and any other applicable AIFC legislation relating to data protection, confidentiality, and information security. Where this Policy conflicts with the AIFC Data Protection Legislation, the latter shall prevail.
1.3 Definitions and Interpretation
Unless otherwise specified herein, capitalised terms have the meanings ascribed to them in the AIFC Data Protection Legislation. Terms may be further clarified in relevant sections of this Policy for transparency and ease of understanding.
1.4 Lawful Bases for Processing
We process Personal Data strictly on lawful bases recognised by the AIFC DPR, which may include: (a) consent; (b) performance of a contract or steps before entering into a contract; (c) compliance with legal or regulatory obligations (including AML/CFT and prudential obligations); (d) legitimate interests pursued by TBI (e.g., Website security, service improvement), provided such interests are not overridden by your rights and freedoms; (e) protection of vital interests; and (f) performance of a task carried out in the public interest, where applicable. Specific lawful bases for each purpose are described in Section 3 of this Policy.
1.5 Acceptance of the Policy
By accessing or using the Website, you confirm that you have read and agree to this Policy. If you disagree, you must immediately cease using the Website. Where processing relies on consent, you may withdraw it at any time as described in this Policy; withdrawal does not affect the lawfulness of processing before withdrawal.
1.6 Master Consent to Processing
By creating an account, submitting forms on the Website, or otherwise engaging with TBI online, you provide your consent for TBI to collect and process your Personal Data as described in this Policy, including but not limited to identity, contact, onboarding/KYC, transactional, security/usage and communications data, and to combine such data across our systems for the purposes set out herein. This consent is in addition to, and does not limit, any other lawful bases upon which TBI may rely (e.g., performance of a contract, legal obligations, legitimate interests).
1.7 Specific and Granular Consents
Where required by AIFC law, TBI will obtain your explicit consent for particular activities, including: (a) direct marketing communications; (b) use of non-essential cookies/analytics; (c) remote identification involving biometric identifiers/biometric data; and (d) certain international data transfers in the absence of an adequacy decision or alternative safeguards. Such consents are recorded and can be withdrawn at any time as described in Section 12 of this Police.
1.8 Effect of Withdrawing Consent
Withdrawing consent does not affect processing carried out on other lawful bases (e.g., AML/CFT, record-keeping). If a specific service relies on your consent (e.g., marketing, analytics, biometric remote ID), withdrawing your consent may limit or prevent our ability to provide that service or feature.
1.9 Third-Party Websites and Applications
The Website may contain links to third-party websites or applications (e.g., Google, Instagram, YouTube). TBI does not control the privacy practices of such third parties and is not responsible for their policies or processing activities. We strongly recommend that you review the privacy policies of any third-party resources before providing Personal Data.
1.10 Territorial Scope and International Elements
Processing may involve cross-border elements (e.g., hosting, support, analytics). International transfers are addressed in Section 4 of this Policy. They are performed only in accordance with the AIFC Data Protection Legislation (e.g., transfers to jurisdictions with an adequate level of protection or appropriate safeguards, and, where required, notification to the AIFC Commissioner of Data Protection).
1.11 Children’s Data
Our services are not directed to persons under 18 years of age. We do not knowingly collect Personal Data from minors. If you believe a minor has provided Personal Data to us, please contact us at info@titul-broker.kz so that we can take appropriate action.
1.12 Relationship with Internal Policies
This Policy is complemented by TBI’s internal Personal Data Processing Policy and procedures, which govern staff obligations, security controls, incident response, records of processing, and regulatory notifications (including those to the AIFC Commissioner, where applicable).
1.13 Jurisdiction, Severability, Updates, and Contact
Disputes: Any disputes between the User and the Company relating to or arising out of this Policy shall be resolved in the AIFC Court, in accordance with its Rules and Regulations. Severability: If any provision of this Policy is found to be invalid, unenforceable, or unlawful by a court or competent authority, the remaining provisions shall remain in full force and effect to the maximum extent permitted by law. Updates: We may amend this Policy and will post an updated version with a “last revised” date. Continued use constitutes acceptance. Contact (privacy matters, rights, incidents): info@titul-broker.kz (include full name, Website email, and phone for verification).
2. Types of Data Collected
2.1 Overview and Sources
We collect Personal Data: (a) directly from you (forms, correspondence, onboarding/KYC); (b) automatically via the Website (cookies, logs); and (c) from third-party sources where permitted by law (identity verification providers, payment processors, sanctions/PEP databases, analytics providers).
2.2 Contact Forms and Correspondence
By filling in the Website form you authorise TBI to process details to reply to inquiries/quotes, provide support, handle complaints, and maintain records required by AIFC laws. Data may include name, email, phone, company details, content/metadata (timestamps, technical IDs). You confirm legal capacity to submit such data. Where necessary, vetted service providers (IT/hosting/communications) may process such data on our behalf.
2.3 Account Creation and Onboarding (incl. Remote Identification/KYC)
When opening a brokerage account or using regulated services, we may collect: Identification: full name, date/place of birth, nationality, address, ID document details, photos/video for liveness/biometric checks where lawful; Contact: email, phone, postal address; Regulatory: PEP/sanctions/adverse media results, tax residency/TIN, CRS/FATCA (where applicable); Suitability/Appropriateness: investment objectives, risk tolerance, knowledge/experience, occupation; Financial profile: declared income, sources of funds/wealth, assets/liabilities (for onboarding and ongoing monitoring). We do not process Sensitive Personal Data unless required by law or with explicit consent. Biometric processing (if any) is strictly in line with AIFC requirements and safeguards. Explicit Consent for Remote Identification (Biometrics). Where remote identification or liveness checks are used, you provide your explicit consent to TBI processing your biometric identifiers/biometric data strictly for identity verification, fraud prevention, and audit purposes, in line with AIFC requirements and subject to appropriate safeguards. If you do not wish to provide biometric data, please contact us to discuss alternative verification options (which may affect onboarding timelines).
2.4 Financial, Transactional, and Trading Data
To deliver brokerage and related services and to comply with legal obligations, we may process: payment/settlement details, orders, executions, positions, balances, statements, confirmations, fees/commissions, transaction histories, AML/CFT monitoring data/alerts, and audit trails are processed to deliver services and comply with law.
2.5 Marketing Communications
If you subscribe to our mailing list or otherwise opt in, we collect your email address (and, where provided, your name and role) to send newsletters, service updates, educational materials, and promotional communications related to TBI’s services. You may withdraw consent or opt out at any time via the “unsubscribe” link in our emails or by contacting us at info@titul-broker.kz. We maintain suppression lists to honor your opt-out choices.
2.6 Usage Data (Website Analytics and Cookies)
Automatically collected information may include IP/domain, URI, request time/method, response size/status, country, browser/OS features, session duration, pages viewed, navigation path, device parameters, referrer URLs, language, screen resolution, click/scroll events, session/cookie IDs, approximate geolocation (city/country), error/diagnostic logs, device attributes and integrity signals. We use cookies, pixels, tags, SDKs, and local storage to enable core functions, analytics, preferences, and security. Non-essential cookies are used only with your consent (see Section 8).
Cookie/Analytics Consent
Non-essential cookies and analytics/marketing technologies are used only with your consent, which you may grant or withdraw through our cookie banner and settings (see Section 8).
2.7 System Logs and Security
For operation/maintenance, and security purposes, we collect event logs that may include IP addresses, device/session IDs, authentication events, access timestamps, error codes, and actions taken within the Website/portal.
2.8 Publication Data (if applicable)
If the Website allows posts/comments/reviews, we process the published content and metadata. Avoid sharing Sensitive Personal Data or confidential information in public areas.
2.9 Mandatory vs Optional
Some Personal Data is mandatory to provide services or to comply with the law (e.g., identity and KYC information). If you choose not to provide mandatory data, we may be unable to onboard you or continue to provide certain services. Optional fields will be clearly indicated where practicable.
2.10 Accuracy
You are responsible for ensuring that the Personal Data you provide is accurate and up-to-date, and for promptly notifying us of any material changes (e.g., identity, contact, tax residency).
3. Purposes and Lawful Bases of
Processing
3.1 Service Provision and Contract Performance
To register accounts, provide brokerage/related services, operate client portals, deliver confirmations/statements, and administer relationships. Lawful bases: performance of a contract; legitimate interests (service effectiveness).
3.2 Regulatory Compliance (incl. AML/CFT, Sanctions, Prudential, Reporting)
To conduct due diligence (KYC/KYB), ongoing monitoring, sanctions/PEP/adverse media screening; to fulfil reporting/record-keeping obligations to AIFC authorities and other competent bodies. Lawful bases: legal obligation; public interest; legitimate interests (risk management).
3.3 Security, Fraud Prevention, and Incident Response
To protect accounts, detect/prevent fraud/abuse, ensure system integrity, and investigate incidents (including cyber). Lawful bases: legitimate interests; legal obligation (where applicable).
3.4 Customer Support and Communications
We process correspondence/ticket data to identify you, diagnose issues, provide resolutions, track case history, and improve the quality of our support. We may send operational/service communications (maintenance notices, terms/policy updates, critical security alerts). If calls/chats are recorded for quality/training purposes, this is done with appropriate notices and safeguards in place. Lawful bases: performance of a contract; legitimate interests (efficient support, quality assurance).
3.5 Analytics and Service Improvement
To measure performance, enhance usability, and develop services using aggregated/pseudonymised analytics. Lawful bases: legitimate interests; consent for non-essential cookies/analytics. Analytics and Service Improvement: Where analytics are not strictly necessary, TBI relies on your consent, which is captured via the cookie banner and can be withdrawn at any time.
3.6 Marketing (Opt-in)
To send newsletters, updates, and promotions to subscribers. Lawful basis: consent (withdrawable at any time). Marketing (Opt-in): Processing is based on your consent; unsubscribe links and suppression lists are maintained to honour your choices.
3.7 Legal Claims and Defence
To establish, exercise, or defend legal claims, manage insurance, and resolve disputes. Lawful bases: legitimate interests; legal obligation.
3.8 Automated Decision-Making/Profiling
We do not make decisions producing legal or similarly significant effects solely by automated means without human involvement, unless permitted by AIFC law and with appropriate safeguards. Where automated screening (e.g., sanctions/PEP) is used, a qualified staff member reviews alerts before decisions are taken. Where required by AIFC law, TBI seeks explicit consent for materially impactful automated processing; otherwise, a qualified staff member reviews alerts before any decision is taken.
3.9 Regulatory Overrides, Exemptions, and Conflicts:
Priority of legal obligations. If your request (e.g., erasure, restriction, objection) conflicts with TBI’s statutory duties (AML/CFT, record-keeping, reporting), TBI will prioritise compliance with AIFC law and may lawfully refuse or defer your request to the extent necessary. Non-disclosure constraints. Where AML/CFT rules prohibit disclosure (no “tipping-off”), TBI may be unable to inform you of specific compliance actions. Records and retention. TBI maintains records of processing and retains data for legally required periods; deletion may be suspended under legal hold or where needed for regulatory inquiries or litigation (see Section 5; standard 6-year period applies unless law requires longer/shorter). Lawful refusal to provide/continue services. TBI may decline onboarding or suspend services if required information/verification is not provided, or where doing so would contravene AIFC requirements.
3.10 Data Accuracy and Client Cooperation
You must ensure that your Personal Data is accurate and up-to-date, and promptly notify TBI of any material changes (including identity, contact, tax residency, and beneficial ownership). TBI may request supporting documentation and may be unable to provide or continue services until updates are verified.
4. Sharing and International Transfers
4.1. Recipients
We may disclose Personal Data to: affiliates within our corporate group (where relevant and necessary); service providers/processors (IT hosting, cloud, communications, analytics, identity verification/e-KYC, payment/correspondent banking, security, audit); professional advisers and insurers (risk management, coverage, disputes); exchanges, counterparties, and market infrastructure (to execute/settle transactions, where applicable); public authorities/regulators/courts where required by law or lawful request.
4.2 Safeguards for Processors
Processors act on our documented instructions and are bound by confidentiality and security obligations. We conduct due diligence and implement appropriate technical/organisational measures and data processing agreements.
4.3 International Transfers
Where Personal Data is transferred outside the AIFC, we use mechanisms recognised by AIFC law (e.g., transfers to jurisdictions with an adequate level of protection; contractual safeguards; and, where required, notification to or authorisation by the AIFC Commissioner of Data Protection). Further details may be provided upon request.
4.3.1. General Consent to Cross-Border Processing
By using the Website and our online services, you acknowledge and consent that your Personal Data may be processed and stored by reputable cloud, communications, screening, and analytics providers located outside the AIFC, subject to contractual and technical safeguards consistent with the AIFC Data Protection Regulations and Rules.
4.3.2. Explicit Consent Where Required
Where a recipient jurisdiction is not recognised as having an adequate level of protection and alternative safeguards are not available, TBI will seek your explicit consent for the specific transfer, and will notify the AIFC Commissioner of Data Protection where required by AIFC law.
4.4. Legal Compulsion and Vital Interests
We may disclose Personal Data to comply with legal obligations/requests or to protect vital interests of you or another person.
5. Data Retention
5.1 Principles
We retain Personal Data only for as long as necessary for the purposes set out in this Policy and to meet legal/regulatory/audit requirements (including AML/CFT retention), after which it is securely deleted or anonymised.
5.2 Standard Periods
Unless a longer period is required by law or for ongoing claims/litigation, we aim to delete/erase Personal Data no later than six (6) years after the end of the relationship or the last interaction with you, as applicable. Internal retention schedules may specify shorter or longer periods for specific records to align with AIFC obligations.
5.3 Suspension of Deletion
Deletion may be deferred where necessary to comply with the law, to fulfill regulator requests, or to establish/exercise/defend legal claims.
6. Security Measures
6.1 Technical and Organisational Measures
We implement layered controls such as encryption in transit/at rest (where feasible), network segmentation, access controls (least privilege, MFA), logging/monitoring, secure development practices, vulnerability management, and regular backups. Organisationally, we enforce confidentiality commitments, staff vetting as appropriate to roles, role-based access, mandatory training/awareness, vendor risk management, and periodic policy reviews.
6.2 Incident Response and Breach Notification
We maintain incident response procedures. Where required by AIFC law, we will notify the AIFC Commissioner of Data Protection and, where applicable, affected individuals without undue delay. Suspected Website-related incidents can be reported to info@titul-broker.kz.
6.3 Data Minimisation and Pseudonymisation
We apply minimisation, pseudonymisation, and aggregation where feasible (especially for analytics and logs) to reduce identifiability.
7. Your Rights
Subject to conditions and exemptions under AIFC law, you may have the following rights:
Right of Access To obtain confirmation and a copy of your Personal Data, processing purposes, categories, recipients, retention, and source (where not collected from you).
Rectification To correct inaccurate or incomplete data.
Restriction To request a temporary restriction where accuracy is contested, processing is unlawful, or data is no longer needed but required for legal claims.
Erasure To request deletion in the cases set out by AIFC law (e.g., data no longer necessary; consent withdrawn; unlawful processing). This right may not apply where data is required for compliance or legal claims.
Objection To object to processing based on legitimate interests or for direct marketing; we will cease unless we demonstrate compelling legitimate grounds.
Portability To receive data you provided to us in a structured, commonly used and machine-readable format and to transmit it to another controller where technically feasible.
Consent Management Where processing is based on consent, you may withdraw it at any time (without affecting prior lawful processing).
Complaint You may lodge a complaint with the AIFC Commissioner of Data Protection. We encourage you to contact us first at info@titul-broker.kz so we can address your concerns.
How to exercise rights: Email info@titul-broker.kz. For verification, please include your full name, Website email, and phone number. We may request additional information to confirm identity and locate records.
8. Cookies and Usage Data
8.1 Cookies/Similar Technologies
We use first-party and (where applicable) third-party cookies, pixels, tags, SDKs and local storage to enable core functionality, maintain sessions, remember preferences, perform analytics, and enhance security/fraud prevention. Non-essential cookies are used only with your consent.
8.2 Managing Preferences
Details of cookie categories, purposes, and storage periods are provided in our Cookie Notice. You can manage preferences via the Website’s cookie settings and/or your browser/device. Disabling certain cookies may impact functionality.
8.3 “Do Not Track”
The Website does not currently respond to DNT signals. We honour granular consent choices expressed through our cookie tools.
8.4 Usage/Log Data
We may process the usage data described in Section 2.6 to support security, analytics, diagnostics, and improvement, based on legitimate interests and/or consent for non-essential analytics.
9. Additional Legal Disclosures
9.1 Legal Requests and Public Authorities
We may disclose Personal Data upon lawful request of public authorities or to comply with applicable legal obligations.
9.2 Corporate Transactions
In case of a reorganisation, merger, acquisition, or asset sale, Personal Data may be transferred to relevant counterparties subject to appropriate safeguards and, where required, notification obligations.
10. Changes to this Policy
We reserve the right to update this Policy. Material changes will be reflected by an updated “last revised” date and, where appropriate, communicated by additional notice. If you object to the changes, you must stop using the Website; otherwise, your continued use will constitute acceptance.
11. Contact Us
For privacy questions, rights requests, complaints, or incident reports (including suspected cyber incidents), contact: info@titul-broker.kz. For verification and security, include your full name, the email used on the Website (if any), and a contact phone number.
12. Consent Management & Records
12.1 Obtaining and Recording Consent
TBI collects consents through clear affirmative action (e.g., tick-box, click-through, digital signature) and records the date/time, source (e.g., webform), version of this Policy, and technical identifiers (e.g., IP/session ID) to demonstrate compliance.
12.2 Granularity and Freely Given Standard
Consents are granular (e.g., marketing, cookies, biometrics, specific transfers). Where processing is required by law or contract, consent is not used as the lawful basis. Refusal to consent will not result in detriment except where the feature itself requires consent (e.g., non-essential analytics, marketing).
12.3 Withdrawal of Consent
You may withdraw any consent at any time by using the mechanisms provided (unsubscribe link, cookie settings) or by contacting info@titul-broker.kz. We will act on your request without undue delay and, in any event, within the time limits required by AIFC law. Withdrawal does not affect processing based on other lawful bases.
12.4 Evidence and Audit
TBI maintains evidence of consents and withdrawals and may retain minimal suppression data (e.g., email address in a “do-not-contact” list) to respect your choices.