Privacy Policy

Application: Tunduk Mobile
Operator: OJSC "TUNDUK"
Last updated: April 1, 2026
Contact: contactcenter@tunduk.gov.kg

This Privacy Policy explains how Tunduk Mobile ("we", "our", or "the App") collects, uses, stores, and protects information about you when you use our application. By using the App, you agree to the practices described in this policy.

1. Who We Are

Tunduk Mobile is an official mobile application providing access to the government e-services platform of the Kyrgyz Republic (Tunduk). The App is operated by OJSC "TUNDUK", registered in the Kyrgyz Republic.

2. Data We Collect

We collect the following categories of data:

a) Personal Identification Data

• Full name
• Email address
• Phone number
• Date of birth

b) Government / Identity Data

• National identification number (INN / PIN)
• Passport or national ID document details
• Data obtained through ESIA authentication

c) Biometric & Device Data

• Biometric authentication signals (fingerprint, Face ID) — processed entirely on-device via the operating system. We do not store raw biometric data on our servers.
• Device identifiers (push token for notifications)
• Operating system type and version

d) Usage Data

• App usage events and crash reports (via Firebase Crashlytics / Performance Monitoring)
• Session activity logs for security auditing

3. How We Use Your Data

• Authentication & access: To verify your identity and provide secure access to government e-services via ESIA.
• Service delivery: To process and display government service requests, status updates, and notifications on your behalf.
• Security: To detect fraud, unauthorized access, and to enforce session management (PIN / biometric unlock).
• Push notifications: To inform you of important updates related to your service requests.
• App improvement: Aggregated, anonymized analytics to improve stability and performance.

4. Legal Basis for Processing

We process your personal data on the following grounds:

• Your consent, provided during registration and authentication.
• Performance of a public task / legal obligation, as the App is an official channel for Kyrgyz government digital services under applicable national legislation.
• Legitimate interests, specifically security and fraud prevention.

5. Data Sharing & Third Parties

We do not sell your personal data. We may share data only in the following cases:

• Government agencies of the Kyrgyz Republic — as required to fulfill e-service requests.
• ESIA — for identity verification and service integration.
• Firebase (Google LLC) — for crash reporting, performance monitoring, and push notifications. Firebase processes data under Google's Data Processing Agreement.
• Law enforcement or regulators — when required by applicable law.

6. Biometric Data

Biometric authentication (fingerprint / Face ID) is handled exclusively by your device's operating system (Android Biometric API / iOS LocalAuthentication). The App never accesses, transmits, or stores raw biometric data. Only a cryptographic success/failure result is returned to the App.

7. Data Retention

• Authentication tokens are stored locally on your device and expire per session policy.
• Service request history is retained for the period required by applicable government record-keeping regulations.
• Crash and analytics data is retained for up to 90 days in aggregated form.
• You may request deletion of your account data at any time (see Section 9).

8. Data Security

We implement industry-standard security measures including:

• HTTPS / TLS encryption for all network communication
• Secure token storage using platform-provided keychain/keystore mechanisms
• PIN-based app lock with configurable session timeouts
• No plaintext storage of credentials or sensitive identity data on device

9. Your Rights

Depending on applicable law, you may have the right to:

• Access a copy of your personal data
• Correct inaccurate data
• Request deletion of your data
• Withdraw consent (note: this may limit access to services)
• Lodge a complaint with the relevant data protection authority in the Kyrgyz Republic

To exercise these rights, contact us at: contactcenter@tunduk.gov.kg

10. Children's Privacy

Tunduk Mobile is intended for users who are 18 years of age or older (or the minimum legal age to access government services). We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via in-app notification. Continued use of the App after changes take effect constitutes your acceptance of the revised policy.

12. Contact Us

If you have any questions or concerns about this Privacy Policy:
OJSC "TUNDUK"
Address: Toktonaliev St. 96, Bishkek, Kyrgyz Republic
Email: contactcenter@tunduk.gov.kg
Phone: +996 (707) 98-81-23